Dendrons Compass Suite
Security & data protection
You are trusting us with an honest account of your AI governance posture - often before your regulator has seen it. We treat that data the way you would want your own auditors to.
Questions, disclosure reports, or security reviews for procurement: np@dendrons.ai
Infrastructure
Hosting
Vercel (SOC 2 Type 2 certified platform), serverless compute, no long-lived servers to patch.
Database
Google Cloud SQL (PostgreSQL) with encryption at rest and in transit, private authorised connections only.
AI processing
Google Vertex AI within our own GCP project. Your responses are not used to train any model.
Credentials
Workload Identity Federation - no long-lived cloud keys exist anywhere in the stack.
Data protection
Encryption in transit
TLS 1.2+ everywhere, HSTS enforced across all subdomains.
Encryption at rest
All database storage and report PDFs encrypted at rest (Google-managed keys).
Report access
Report URLs are unguessable UUIDs. Shared links use AES-256-GCM encrypted tokens and show a redacted executive view only.
Search engines
Reports, dashboards, and account pages are excluded from indexing at both the header and robots level.
Your rights over your data
Benchmarking
Sector benchmarks are computed only from anonymous aggregates - never your name, organisation, or responses. You can opt out.
Deletion
Email np@dendrons.ai from your registered address and we delete your assessments, reports, and monitoring data within 7 days.
Export
You can request a full export of your data in machine-readable form at any time.
No resale
We never sell, share, or license your data to third parties.
Application security
Authentication
Passwordless magic-link sign-in (Supabase Auth). No passwords stored, nothing to breach.
API protection
All write endpoints are rate limited; StayReady ingestion supports API-key authentication.
Payments
Handled entirely by Razorpay (PCI DSS Level 1). Card details never touch our servers.
Audit trail
StayReady maintains an append-only audit log of every monitoring event for regulator review.
Compliance alignment
Our own practices are aligned to the frameworks we assess against: the DPDP Act 2023 (consent, purpose limitation, data minimisation), and the spirit of ISO/IEC 27001 controls for access management and encryption. Formal certification is on our roadmap as we grow - ask us for the current status in your procurement review.