Trust & Security

How we handle your data, what security controls we have in place, and our commitments to uptime, privacy, and compliance.

TLS 1.3
Encryption in transit
99.9%
Uptime SLA
GDPR
Compliant
SOC 2
Audit in progress

Security Controls

  • All data in transit encrypted via TLS 1.3
  • Data at rest encrypted using AES-256
  • API keys hashed with bcrypt — never stored in plaintext
  • Infrastructure isolated per-tenant; no cross-customer data access
  • Regular third-party penetration testing
  • Dependency scanning via Dependabot + Snyk on every PR
  • Principle of least privilege across all internal systems

Uptime & Reliability

  • Target SLA: 99.9% monthly uptime for the threat intelligence API
  • Real-time status page at ismalicious.com/status
  • Automated alerting on p95 latency > 500ms
  • Global CDN edge caching on verdict responses (TTL configurable)
  • Redundant PostgreSQL with automated failover
  • Redis cluster for rate limiting and session data
  • Incident response within 1 hour for P0 issues

Data Retention

  • API request logs retained for 90 days, then automatically purged
  • Threat intelligence data refreshed continuously — no stale verdicts older than 24h for active indicators
  • Account data deleted within 30 days of account closure upon request
  • No user query data sold or shared with third parties
  • Bulk export data does not include any customer-identifiable metadata
  • Indicators of compromise (IOCs) sourced from public and licensed feeds — no user-submitted data in verdicts

Privacy & Compliance

  • GDPR Article 17 (right to erasure) honored within 72 hours
  • CCPA opt-out respected — no sale of personal information
  • Cookie consent banner with granular controls on all marketing pages
  • Privacy policy and DPA (Data Processing Agreement) available on request
  • No third-party advertising trackers on authenticated dashboard pages
  • Sub-processors disclosed in our Privacy Policy

SOC 2 Roadmap

  • SOC 2 Type I audit in progress — expected completion Q3 2026
  • Controls mapped to AICPA Trust Services Criteria (Security, Availability, Confidentiality)
  • Audit conducted by an AICPA-accredited firm
  • SOC 2 Type II audit planned for Q1 2027
  • Enterprise customers can request a copy of the audit report under NDA upon completion

Responsible Disclosure

If you discover a security vulnerability in isMalicious, please report it to security@ismalicious.com. We follow a 90-day coordinated disclosure timeline and acknowledge valid reports within 48 hours.

Data Processing Agreement

Enterprise customers can request a signed DPA for GDPR compliance purposes. Contact us with your organization details.

Last reviewed: April 2026