Reference → SGEN Trust and Security
Trust and Security
Last updated: [to be set on publish]
This page describes the security and operational practices SGEN applies to the platform. It is a companion to our Privacy Policy, Data Processing Addendum, and Sub-Processors pages.
The existing /security page describes platform security features for end customers (built-in defaults, no-plugin architecture). This page describes the security of the platform itself — the practices we apply as the operator.
Hosting and isolation
- Hosting provider. SGEN serves customer-facing traffic through Google's edge network. ⚠ Confirm whether the underlying compute is Google Cloud Platform, App Engine, Cloud Run, or another configuration before publish.
- Network controls. Production traffic is routed through the hosting provider's edge. Rate-limiting and abuse-protection capabilities provided by the platform are applied to public endpoints.
- Customer isolation. Customer Content, accounts, and configuration are scoped per customer at the application layer. ⚠ Confirm whether tenancy is logical-only or includes infrastructure-level isolation.
Encryption
- In transit. All customer-facing endpoints are served over HTTPS with TLS. HTTP requests are redirected to HTTPS.
- At rest. Primary data stores use the encryption-at-rest capabilities provided by the underlying hosting platform.
Access control
- Least privilege. Internal access to production systems is granted on a need-to-know basis.
- Multi-factor authentication. ⚠ Where required for production access; confirm scope with platform-eng before publish.
- Operational logs. Administrative actions on production systems are recorded by the operational tooling we use. ⚠ Confirm log-retention windows before publish.
Application security
- Dependency monitoring. We track production dependencies for known vulnerabilities and apply patches as warranted.
- Change review. ⚠ Production changes pass through internal review; confirm whether code review is mandatory across all merge paths before publish.
- Customer authentication. Customer accounts use industry-standard password hashing. Multi-factor authentication is available where the customer enables it.
- Session management. Sessions are time-limited and bound to the originating client.
Operational practices
- Backups. Customer data is backed up. ⚠ Confirm backup schedule and restore-drill cadence with platform-eng before publish; remove any line that overstates the current practice.
- Incident response. We follow internal procedures for detection, containment, communication, and post-incident review when production issues affect customer data or availability.
- Personnel. Staff with access to production systems are bound by confidentiality obligations under their employment or contractor agreements. ⚠ Confirm whether security-awareness training is currently in place before adding it back.
Customer security features
End customers also have controls in their own dashboard:
- per-user account security (passwords, multi-factor authentication)
- role-based access for team members
- audit log of administrative actions on the customer's account
- customer-managed tracking-consent controls for sites the customer builds
Reporting a security issue
If you believe you have found a vulnerability in the SGEN platform, write to security@sgen.com with:
- a description of the issue
- steps to reproduce
- the affected URL or endpoint
- your contact information
We do not currently operate a public bug-bounty program. We thank researchers who report responsibly.
Compliance posture
- GDPR. Our Privacy Policy and Data Processing Addendum describe how we comply with the GDPR for EU and UK Data Subjects.
- CCPA. Our Privacy Policy describes the rights of California Consumers and how to exercise them.
- Audit reports. We do not currently hold a SOC 2 or ISO 27001 report. We document our controls on this page and through the DPA. If you require a formal audit report, write to legal@sgen.com to discuss.
Contact
Security questions: security@sgen.com.
Privacy questions: legal@sgen.com.
On this page