Built for the procurement team.

Security posture

Defense in depth on every layer of the stack.

Authentication is enforced at the edge for every request: long-lived API keys (32-byte randomly generated, SHA-256 hashed at rest, raw keys never persisted) plus short-lived WorkOS bearer tokens. Tenant isolation is enforced at the application layer with tenant-scoped query filtering and per-organization rate limiting. All ingress terminates at Cloudflare with WAF and DDoS protection; all data is encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent). A comprehensive internal security audit completed 2026-04-26 found zero high-severity exploitable findings.

• Auth: API keys (SHA-256 hashed) + WorkOS bearer tokens; MFA required for administrators.
• Encryption: TLS 1.2+ in transit (mTLS to Postgres); AES-256 at rest for primary databases, object storage, and backups.
• Network: Cloudflare WAF + DDoS at the edge; only HTTPS (443) publicly exposed; tenant-isolated networking.
• Audit: 224 REST routes + 35 MCP tools verified for auth and tenant scoping; STRIDE-lite threat model on file.
• Vulnerability disclosure: email security@secapi.ai for one-business-day acknowledgement.

Data Processing Agreement

Article 28 / GDPR-compliant DPA with EU + UK + Swiss SCCs incorporated by reference.

The Data Processing Agreement governs how secapi.ai processes Customer Personal Data on Customer's behalf as a Processor. It includes Article 28 obligations, technical and organizational measures (Annex II), the current sub-processor list (Annex III), and the EU SCCs (Module Two) plus the UK Addendum and Swiss adaptations for Restricted Transfers. Provider notifies Customer of any Personal Data Breach within 72 hours of becoming aware.

• GDPR Article 28 + UK GDPR + Swiss FADP + CCPA / CPRA.
• EU SCCs (2021/914) Module Two with Module Three available; UK Addendum + Swiss adaptations incorporated.
• 30 days advance notice of new sub-processors; right to object on data-protection grounds.
• 72-hour breach notification with documented information requirements (Article 33 GDPR).
• Annex II technical and organizational measures cover authentication, encryption, network, monitoring, vulnerability management, personnel, and BCP/DR.

Due Diligence Questionnaire

Vendor security DDQ aligned to Vanta / SIG Lite procurement formats.

The Due Diligence Questionnaire summarises secapi.ai's security, privacy, and operational posture in a question-and-answer format that procurement, legal, and security review teams can route through their own intake processes without rewriting. Sections cover company info, service description, compliance and certifications, security organization, authentication, encryption, network and infrastructure, vulnerability management, logging and incident response, data lifecycle, sub-processors, BCP/DR, SLA, insurance, and supporting documentation available on request.

• 16 sections aligned to common procurement DDQ formats (Vanta DDQ + SIG Lite).
• Compliance roadmap is honest: SOC 2 Type 1 in observation (not yet certified), GDPR / UK GDPR / FADP / CCPA compliant.
• Supporting reports (DPA, pen test summary, SOC 2 report once issued, insurance certificates) available under NDA on request to security@secapi.ai.

SLA detail

Service-credit calculation, escalation procedure, breach-claim contact.

Downtime is measured against sustained 5xx error rates (>5% for 5+ consecutive minutes across healthy regions) per BetterStack and internal probes. Service-credit claims must be submitted to support@secapi.ai within 30 days of the end of the affected calendar month with supporting evidence (request IDs, error timestamps). Provider responds within 10 business days. Credits cap at 50% of the monthly fee for any single month and are issued against future invoices. Webhook delivery has its own 99.9% delivery SLA documented separately.

• Excluded from downtime: scheduled maintenance (48h notice), emergency security maintenance, customer-side failures, third-party failures outside Provider's reasonable control, force majeure, beta/preview features.
• Status communication: 15-minute initial acknowledgement on /status for P0/P1 incidents, 30-minute updates during active P0/P1, post-incident review for P0 incidents within 10 business days.
• Status feed: subscribe to https://secapi.ai/status.rss for programmatic monitoring.

SOC 2 roadmap

SOC 2 Type 1 in observation; target audit completion Q3–Q4 2026.

secapi.ai is in the early stages of a formal SOC 2 program. The observation window has not yet started; Vanta/Drata kickoff is scheduled. Target Type 1 audit completion is Q3–Q4 2026, with Type 2 to follow after the 12-month observation window. Internal controls are already aligned to the SOC 2 Trust Services Criteria categories (Security, Availability, Confidentiality) — encryption, access control, change management, incident response, vendor management, and audit logging — pending formal evidence collection and external audit.

• Status: observation window not yet started.
• Target Type 1 audit completion: Q3–Q4 2026.
• Type 2 follows Type 1 after the 12-month observation window.
• We do not claim SOC 2 certification before audit completion. The Trust page will reflect the actual state.

Data quality + freshness

Trust as a substantive engineering posture, not a slogan.

Provenance, freshness, and materialization metadata are first-class on every API response. Filing-page traceability lets you go from any derived number back to the underlying SEC filing and page. Benchmarks (FinanceBench, custom suites) are run continuously and published with methodology. Operational state is exposed via the live status page and the public freshness dashboard.

Contact security

Found a vulnerability? Procurement question? Routing legal review?

Email security@secapi.ai. We acknowledge within one business day. For commercial and procurement questions, you can also reach support@secapi.ai. The live status page tracks active incidents and historical uptime.