Dendrons Compass Suite

Security & data protection

You are trusting us with an honest account of your AI governance posture - often before your regulator has seen it. We treat that data the way you would want your own auditors to.

Questions, disclosure reports, or security reviews for procurement: np@dendrons.ai

Infrastructure

Hosting

Vercel (SOC 2 Type 2 certified platform), serverless compute, no long-lived servers to patch.

Database

Google Cloud SQL (PostgreSQL) with encryption at rest and in transit, private authorised connections only.

AI processing

Google Vertex AI within our own GCP project. Your responses are not used to train any model.

Credentials

Workload Identity Federation - no long-lived cloud keys exist anywhere in the stack.

Data protection

Encryption in transit

TLS 1.2+ everywhere, HSTS enforced across all subdomains.

Encryption at rest

All database storage and report PDFs encrypted at rest (Google-managed keys).

Report access

Report URLs are unguessable UUIDs. Shared links use AES-256-GCM encrypted tokens and show a redacted executive view only.

Search engines

Reports, dashboards, and account pages are excluded from indexing at both the header and robots level.

Your rights over your data

Benchmarking

Sector benchmarks are computed only from anonymous aggregates - never your name, organisation, or responses. You can opt out.

Deletion

Email np@dendrons.ai from your registered address and we delete your assessments, reports, and monitoring data within 7 days.

Export

You can request a full export of your data in machine-readable form at any time.

No resale

We never sell, share, or license your data to third parties.

Application security

Authentication

Passwordless magic-link sign-in (Supabase Auth). No passwords stored, nothing to breach.

API protection

All write endpoints are rate limited; StayReady ingestion supports API-key authentication.

Payments

Handled entirely by Razorpay (PCI DSS Level 1). Card details never touch our servers.

Audit trail

StayReady maintains an append-only audit log of every monitoring event for regulator review.

Compliance alignment

Our own practices are aligned to the frameworks we assess against: the DPDP Act 2023 (consent, purpose limitation, data minimisation), and the spirit of ISO/IEC 27001 controls for access management and encryption. Formal certification is on our roadmap as we grow - ask us for the current status in your procurement review.