Security Program Breach SLA Vendor Diligence

Summarize certifications, encryption, access control, monitoring, pen tests, and tiered breach SLAs buyers cite in questionnaires — bookmark for audits.

Controls summarized for questionnaires

The security program outlines certification posture — EU-U.S. DPF, UK extension, Swiss-U.S. DPF, SOC2 Type II in flight, ODNI CAI alignment for sensitive categories — alongside concrete technical controls covering TLS/HSTS transit, CSP baselines, AES-256 class storage encryption, MFA, RBAC with quarterly entitlement reviews, pen-test cadence, and centralized logging expectations.

Breach notification ladder

  • Tier 1 — confirmed unlawful access impacting identified customer payloads: escalate within 72 hours when GDPR timelines apply.
  • Tier 2 — suspected incidents: provisional notice inside five US business days with confirm-or-close follow-up inside two weeks.
  • Tier 3 — platform noise without purchaser data spillover: summarized quarterly or per contract dashboards.

For coordinated vulnerability reporting see SECURITY.md + security.txt.