Our approach
Security is a product requirement, not a compliance afterthought. We design with defense in depth, assume every layer can fail and limit the blast radius when one does. This page is a living summary of what that means in practice.
What we do
Encrypted in transit and at rest
All traffic uses TLS 1.2+. Data at rest is encrypted with AES-256. Backups are encrypted with independently rotated keys.
Least-privilege access
Employees access production only through short-lived, audited, MFA-protected sessions. No static database credentials in developer environments.
Hardened cloud infrastructure
We run on SOC 2 Type II–certified cloud providers in the US. Workloads are isolated per-tenant at the database and object-store layer.
Continuous monitoring
Security-relevant events stream into a 24/7 monitoring pipeline with alerting for anomalies, unauthorized access attempts, and configuration drift.
Code-level rigor
Every change is code-reviewed. We run static analysis, dependency scanning, and secret detection on every commit, plus third-party penetration tests annually.
Business continuity
We back up data on a rolling schedule, run recovery drills, and maintain an RTO under 4 hours and RPO under 1 hour for our production stores.
Data handling
You own your data. We process it only to deliver the Service. Production data is segmented by tenant and never copied into developer laptops. Access to production data is logged and reviewed.
We do not train third-party generative models on your content. Where we use LLMs inside the product, customer data flows through vendors under zero-retention agreements so prompts and outputs are not retained beyond the request.
Authentication & access
Accounts can use password + TOTP, passkeys, or SSO (SAML, OIDC) on business plans. Sessions are short-lived and bound to device fingerprints. Admins get granular role-based access control and an audit log that covers every sensitive action in the product.
On our side, employee access to production follows zero-standing-privilege principles, access is requested just-in-time, approved, logged, and expires automatically.
Vulnerability management
We run dependency and container scanning on every build, patch critical vulnerabilities within 24 hours, and high-severity ones within 7 days. Third-party penetration tests happen annually and after any significant change to our architecture.
If you believe you’ve found a vulnerability, please send details to security@competitoresearch.com. We acknowledge within one business day and won’t pursue researchers who act in good faith.
Incident response
We maintain a documented incident response plan with on-call rotations, severity levels, and communication playbooks. If a security incident affects your data, we’ll notify you without undue delay, typically within 72 hours, with what we know, what we’ve done, and what you need to do.
Compliance
We align to SOC 2 Type II controls and are actively pursuing certification. GDPR- and CCPA-style data subject requests are routed to our privacy team and fulfilled within statutory deadlines.
Compliance documentation, including a completed SIG Lite, subprocessor list, and DPA, is available on request for customers and prospects under NDA.
Contact
Security questions, disclosures, or compliance requests go to security@competitoresearch.com.
Questions?
Reach us at legal@competitoresearch.com and we'll come back within two business days.