Security

Your data.
Our responsibility.

Security is not a feature we ship. It is the foundation every workflow, extraction, and integration is built on. Here is exactly how we protect your operations.

AES-256

Encryption at rest

TLS 1.3

Encryption in transit

99.9%

Uptime SLA

24h

Max incident response

Core pillars

How we protect your data

Four interlocking layers. Every customer record, workflow run, and extracted document is covered by all of them simultaneously.

Encryption

All data is encrypted at rest using AES-256 and in transit over TLS 1.3. Encryption keys are rotated automatically and managed through a dedicated key management service with strict access controls.

AES-256 TLS 1.3 Key Rotation

Access Control

Role-based access control (RBAC) with least-privilege defaults. SSO via SAML 2.0 and OIDC. Multi-factor authentication is enforced for all user accounts. All access events are audit-logged.

RBAC MFA SSO / SAML Audit Log

Infrastructure

Hosted on tier-1 cloud infrastructure with multi-region redundancy. Network traffic is isolated per customer using private VPCs. Automated daily backups with point-in-time recovery. 99.9% SLA.

Multi-Region Private VPC Daily Backups

Monitoring & Response

Continuous anomaly detection across API calls, workflow executions, and authentication events. Security incidents trigger automated escalation. Annual third-party penetration testing. Maximum 24-hour incident response.

24h Response Pen Testing Anomaly Detection

Data Handling

How your data moves through us

From the moment data enters Silkroute to the moment you request deletion, here is every stage and the control you have at each one.

Stage 01

Ingestion

Data enters over TLS 1.3. Email attachments and API payloads are scanned for malware before processing begins.

Stage 02

Processing

Workflows run in isolated execution environments. TRACE extractions happen in ephemeral containers. No document persists beyond the extraction window unless you opt in.

Stage 03

Storage

Structured data is stored AES-256 encrypted in isolated customer namespaces. No cross-tenant data access is architecturally possible.

Stage 04

Access

Only your team members with explicit RBAC permissions can read your data. Silkroute staff access requires dual approval and leaves a full audit trail.

Stage 05

Deletion

On account termination or explicit deletion request, all data is cryptographically erased within 30 days. Deletion is confirmed in writing.

Compliance

Standards we meet

We maintain and pursue the certifications that matter most to enterprise and midmarket operations teams.

Standard	Scope	Status
SOC 2 Type II	Security, Availability, Confidentiality trust service criteria across the full Silkroute platform.	Active
GDPR	Data processing agreements, data subject rights, and lawful basis documentation for EU customer data.	Active
ISO 27001	Information security management system certification across engineering and operations functions.	In Progress
CCPA	California Consumer Privacy Act compliance for US resident data handling and opt-out processes.	Active
HIPAA	Healthcare data handling for customers operating in regulated medical supply chains.	Planned

Vulnerability Disclosure

Found a vulnerability?

We appreciate responsible disclosure. If you have discovered a security issue in Silkroute, please report it privately before any public disclosure. We commit to acknowledging your report within 24 hours and providing a resolution timeline within 72 hours.

technical@silkroutelabs.org

Please encrypt sensitive reports using our PGP key, available on request from the address above.

Disclosure Process

Submit your report

Email a clear description of the vulnerability, reproduction steps, and any proof-of-concept to technical@silkroutelabs.org.

Acknowledgement within 24 hours

We will confirm receipt and assign a severity classification. You will receive a named contact for the duration of the process.

Resolution timeline in 72 hours

We provide an estimated fix date. Critical issues are patched within 7 days; high severity within 30 days.

Coordinated disclosure

We will coordinate with you on timing before any public disclosure. Researchers who follow this process are publicly credited if they wish.

Common Questions

Security FAQ

Answers to the questions our customers ask most during security reviews and vendor assessments.

In exceptional circumstances, such as responding to a support escalation you have initiated, a small number of authorized Silkroute engineers can access your data. All such access requires dual approval from two senior staff members, is time-limited, and is logged to an immutable audit trail that you can request at any time.

By default, customer data is stored in US-East data centers. Enterprise customers can elect EU-only or APAC storage regions for data residency requirements. Data replication across availability zones stays within the selected region.

Yes. The SOC 2 Type II report is available under NDA to customers on an active plan or active procurement process. Contact technical@silkroutelabs.org with your company name and we will send a link within one business day.

Integration credentials (OAuth tokens, API keys) are encrypted at rest and never logged in plaintext. Each integration connection is scoped to the minimum required permissions and can be revoked from the Silkroute dashboard without contacting support.

You have 30 days after cancellation to export your data in full. After that window, all data is cryptographically erased from primary and backup storage. You will receive a written deletion confirmation. Backups containing your data are purged within the following backup rotation cycle, typically 90 days maximum.