Skip to main content
← Back to Trust Center

Compliance Center

Security & Compliance Overview

Everything your compliance team needs for vendor due diligence — policies, controls, and documentation in one place.

Last updated: March 2026

Compliance Posture

In Place

17 Security Policies Adopted
AES-256 Encryption (at rest & in transit)
SOC 2 Certified Hosting Infrastructure
Formal Governance Structure

In Progress

SOC 2 Type II Certification
Penetration Testing

Security Controls & Policies

17 policies adopted across six categories. Policy documents are available upon request.

Information Security

Information Security Policy
Request Access
Data Classification Policy
Request Access
Encryption Policy
Request Access
Data Retention & Disposal Policy
Request Access

Access & Personnel

Access Control Policy
Request Access
Personnel Security Policy
Request Access

Infrastructure & Network

Network Security Policy
Request Access
System Configuration & Hardening Policy
Request Access

Risk & Incident Management

Risk Assessment Policy
Request Access
Incident Response Policy
Request Access

Operations & Change

Change Management Policy
Request Access
Business Continuity Policy
Request Access
Disaster Recovery Policy
Request Access

Governance

Acceptable Use Policy
Request Access
Vendor Management Policy
Request Access
Privacy Policy
View
Code of Conduct
Request Access

Compliance Documents

Data Confidentiality Agreement

Binding data commitments, signed by us.

Vendor Due Diligence Questionnaire

Pre-filled DDQ with common questions answered.

Privacy Policy

How we collect, use, and protect your data.

Security Architecture

Encryption

AES-256 at rest, TLS 1.3 in transit. Per-family encryption keys for cryptographic isolation.

Full details →

Data Residency

All data processed and stored exclusively in the United States on SOC 2 certified infrastructure.

Full details →

Access Control

Role-based access control, mandatory MFA, per-family isolation boundaries. All access logged.

Full details →

Monitoring

Continuous monitoring with automated threat detection, anomaly detection, and 24/7 incident response.

Full details →

Frequently Asked Questions

What is your SOC 2 status?

entropyFA is hosted on SOC 2 Type II certified cloud infrastructure. Our own SOC 2 Type II certification is currently in progress. We have adopted 17 security policies aligned to the SOC 2 Trust Services Criteria and are working with an independent auditor.

Has entropyFA completed penetration testing?

Penetration testing is currently in progress. Results will be available upon request under NDA once complete.

What is the breach notification timeline?

72 hours from confirmation of a security incident involving client data. This is a contractual commitment in our Data Confidentiality Agreement, Section 6.

How is data isolated between clients?

Per-family data isolation with dedicated access boundaries and per-family encryption keys. Data is never commingled across households in queries, processing, or storage.

Can I get a list of subprocessors?

Yes. A current list of subprocessors is available upon request. Contact support@entropyfa.com.

Need additional documentation?

Additional compliance materials — including policy documents, penetration test results, and subprocessor lists — are available under NDA.

Contact Us