> ## Documentation Index
> Fetch the complete documentation index at: https://docs.shareofmodel.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & Compliance

> How Share Of Model is designed, operated and continuously improved against SOC 2 principles and best practices.

Security is a foundational pillar of Share Of Model. The platform is designed, operated and continuously improved in alignment with SOC 2 security principles, industry best practices and customer expectations.

## Continuous security testing

Share Of Model goes beyond standard compliance requirements with continuous security testing across its applications.

* **Application penetration tests** are performed on an ongoing basis, exceeding the SOC 2 minimum annual requirement.
* **Weekly penetration testing** is conducted with Acunetix, including before major releases or production changes.
* The most recent penetration test was conducted in **2025**.

Automated vulnerability scanning is continuously enforced:

* **Acunetix** for weekly dynamic scanning.
* **Snyk** and **DeepSource** for continuous code and dependency scanning.
* Vulnerabilities are surfaced proactively, including before production deployments.

## Secure development lifecycle

Security is embedded throughout development:

* **OWASP-aligned secure coding practices**.
* **Automated security reviews** integrated into CI pipelines.
* **Manual peer code reviews** systematically performed.
* **Bot protection** including dynamic CAPTCHA on unauthenticated entry points.

## Identity and access management

Access control is strictly enforced for accountability and least privilege.

* **Federated authentication** via OAuth 2.0 and Auth0.
* **MFA enforced** for privileged accounts (password + one-time verification code).
* **Named individual accounts only** — no shared accounts.
* **Privileged access reviews** every 3 months.
* **Automatic deactivation** after 3 months of inactivity.

All account lifecycle events are logged and retained for auditability.

## Secure configuration and infrastructure

Layered controls protect the platform:

* All access and administration over **TLS 1.2 or TLS 1.3**.
* **Cloudflare WAF** for protection against common web threats.
* APIs secured via authentication, authorisation and WAF-level protections.
* **Dev and prod environments are strictly segregated** — no real personal data outside production.

## Encryption and data protection

Data protection is enforced at every stage.

* **All data is encrypted in transit** using TLS.
* **Encryption at rest** using Google Cloud native encryption mechanisms.
* **AES-256** with Google Cloud KMS, automated key rotation and audit logging.

## Logging, monitoring and auditability

Security events are continuously monitored.

* Sensitive-data access is logged and monitored for abnormal patterns.
* Changes to personal data are fully traceable via centralised audit logs.
* Logs include timestamp, actor identity and action type.
* Logs are **retained for at least 6 months** before secure deletion.

All user actions are logged:

* access and authentication events,
* creation, updates and deletion of resources,
* configuration changes,
* permission and role updates,
* any other significant actions performed by users.

Centralised logging in **Google Cloud**, monitored via **Google Cloud Security Command Center**.

## Data retention and lifecycle

Robust data governance:

* Configurable **retention and deletion policies**, aligned contractually with customer requirements.
* **Automatic data deletion**, including full deletion at contract termination.
* **Read-only data archiving** where applicable.

## Backup, disaster recovery and business continuity

* Daily backups stored in EU data centres with **ISO 27001-certified** providers.
* Documented backup and restore procedures, tested annually. Last test: **November 2025**.
* A documented **Disaster Recovery Plan** supported by Google Cloud replication and redundancy.
* DRP tests cover partial recovery and full failover. Most recent test: **August 2025**.

## Infrastructure security testing

Jellyfish continuously validates its security posture.

* **Weekly system and network vulnerability scans** with Acunetix.
* **External and internal penetration tests** by VAADATA, including source-code analysis.

## In summary

<Tip>
  Share Of Model combines continuous security testing, strong identity controls, secure infrastructure, encrypted data handling and rigorous monitoring — secure by design, compliant by default, continuously improving.
</Tip>

## What's next

<CardGroup cols={2}>
  <Card title="Data Collection & Compliance" icon="shield-halved" href="/platform/getting-started/understanding-data-collection-and-compliance-in-share-of-model-platform">
    What we collect and how we keep it.
  </Card>

  <Card title="SLA & SLO" icon="gauge-high" href="/platform/getting-started/sla-slo-engagement">
    Availability commitments.
  </Card>
</CardGroup>
