Security is a foundational pillar of Share Of Model. The platform is designed, operated and continuously improved in alignment with SOC 2 security principles, industry best practices and customer expectations.Documentation Index
Fetch the complete documentation index at: https://docs.shareofmodel.ai/llms.txt
Use this file to discover all available pages before exploring further.
Continuous security testing
Share Of Model goes beyond standard compliance requirements with continuous security testing across its applications.- Application penetration tests are performed on an ongoing basis, exceeding the SOC 2 minimum annual requirement.
- Weekly penetration testing is conducted with Acunetix, including before major releases or production changes.
- The most recent penetration test was conducted in 2025.
- Acunetix for weekly dynamic scanning.
- Snyk and DeepSource for continuous code and dependency scanning.
- Vulnerabilities are surfaced proactively, including before production deployments.
Secure development lifecycle
Security is embedded throughout development:- OWASP-aligned secure coding practices.
- Automated security reviews integrated into CI pipelines.
- Manual peer code reviews systematically performed.
- Bot protection including dynamic CAPTCHA on unauthenticated entry points.
Identity and access management
Access control is strictly enforced for accountability and least privilege.- Federated authentication via OAuth 2.0 and Auth0.
- MFA enforced for privileged accounts (password + one-time verification code).
- Named individual accounts only — no shared accounts.
- Privileged access reviews every 3 months.
- Automatic deactivation after 3 months of inactivity.
Secure configuration and infrastructure
Layered controls protect the platform:- All access and administration over TLS 1.2 or TLS 1.3.
- Cloudflare WAF for protection against common web threats.
- APIs secured via authentication, authorisation and WAF-level protections.
- Dev and prod environments are strictly segregated — no real personal data outside production.
Encryption and data protection
Data protection is enforced at every stage.- All data is encrypted in transit using TLS.
- Encryption at rest using Google Cloud native encryption mechanisms.
- AES-256 with Google Cloud KMS, automated key rotation and audit logging.
Logging, monitoring and auditability
Security events are continuously monitored.- Sensitive-data access is logged and monitored for abnormal patterns.
- Changes to personal data are fully traceable via centralised audit logs.
- Logs include timestamp, actor identity and action type.
- Logs are retained for at least 6 months before secure deletion.
- access and authentication events,
- creation, updates and deletion of resources,
- configuration changes,
- permission and role updates,
- any other significant actions performed by users.
Data retention and lifecycle
Robust data governance:- Configurable retention and deletion policies, aligned contractually with customer requirements.
- Automatic data deletion, including full deletion at contract termination.
- Read-only data archiving where applicable.
Backup, disaster recovery and business continuity
- Daily backups stored in EU data centres with ISO 27001-certified providers.
- Documented backup and restore procedures, tested annually. Last test: November 2025.
- A documented Disaster Recovery Plan supported by Google Cloud replication and redundancy.
- DRP tests cover partial recovery and full failover. Most recent test: August 2025.
Infrastructure security testing
Jellyfish continuously validates its security posture.- Weekly system and network vulnerability scans with Acunetix.
- External and internal penetration tests by VAADATA, including source-code analysis.
In summary
What’s next
Data Collection & Compliance
What we collect and how we keep it.
SLA & SLO
Availability commitments.