Security & compliance

Trust is structural, not a footer.

Architecture you can hand to a CISO, and an evidence chain you can hand to a regulator. Below is what the platform does — and what it is designed to be defensible under.

Architecture: Vendor-agnostic core, ports-and-adapters; no customer business data in a Signum-owned store — your ITSM ticket is the system of record.
Encryption: AES-256-GCM at rest and field-level encryption for governed content; TLS enforced on every adapter; secrets referenced by environment variable, never inline in configuration.
Audit: Append-only, hash-chained audit log per tenant; verifiable evidence export. Access is granted by an administrator and recorded — never assumed.
Privacy: Read-time redaction — raw, redacted and pseudonymous modes applied per consumer; names retained for investigators, tokenised for analytics and regulators.
Residency & keys: Deploy in your own cloud (self-managed) or as SaaS; operational data partitioned by deployment; customer-managed encryption keys available on Enterprise.
Identity: OIDC SSO (Google · Microsoft · Okta), SAML 2.0 and SCIM 2.0 provisioning; role-based access with an admin-approved registration policy.

The hash-chained audit log: who accessed and changed what, verifiable and exportable.

Built to be defensible under

FCA · SYSC · SS1/23EU DORAEU MiCAMAS · TRMADGM FSRAAUSTRAC · APRA CPS 230ISO/IEC 27001SOC 2NIST CSFUK & EU GDPR

Certifications in progress are shown as roadmap, never as held. Ask for the security pack and current attestation status in the demo.

Hand it to your CISO.

We will walk the architecture, the audit chain and the data-residency model.

Request a demo