Skip to main content

Legal

Security Statement

Last updated: 2026-05-15. Applies to identigy.com and Identigy's identity-management engagements.

Identity governance is what we sell — broken security on our own infrastructure would invalidate the work we deliver. This statement describes the technical and organisational measures (GDPR Art. 32) we apply to our marketing website, to internal infrastructure, and to customer engagements. It is written in plain terms and avoids marketing language; if a control listed below is aspirational rather than implemented, we say so.

1. Scope

This statement covers three operational perimeters:

  • Marketing infrastructure — identigy.com (static site on Vercel, /api/contact serverless function, Cloudflare Turnstile, HubSpot CRM, Resend email).
  • Internal infrastructure — corporate identity provider (self-managed Evolveum midPoint), git, ticketing, internal SaaS. Used by Identigy engineers; not accessible to clients.
  • Customer engagements — IDM/IGA programmes delivered into customer-owned environments. The customer's own security policy governs production; our engineering practices below describe how we operate inside that policy.

2. Technical measures

Layer Control
Transport TLS 1.3 enforced; HSTS with preload; Cloudflare-managed certificates with automated rotation.
Anti-abuse Cloudflare Turnstile on all public forms; honeypot field; server-side rate limiting on /api/contact via Vercel Firewall; Vercel managed bot-protection rules.
Input validation Strict server-side schema validation (Zod); type-narrowing; explicit field length limits; no client-side bypass on submission.
HTTP headers X-Frame-Options: SAMEORIGIN · X-Content-Type-Options: nosniff · Referrer-Policy: strict-origin-when-cross-origin · Permissions-Policy locked down · Cross-Origin-Opener-Policy: same-origin.
Secrets All API tokens stored in Vercel environment variables (encrypted at rest); never in git; rotation on personnel change or 90 days, whichever is sooner. CI pipelines never log secrets.
Dependencies Minimised runtime surface (pnpm workspace); Dependabot & manual review on every major bump; security advisories triaged within 1 business day for high/critical CVE.
Email (forms) Resend with TLS-only delivery; SPF, DKIM, DMARC enforced across all 4 Identigy domains; DMARC reports monitored.
Logs Vercel runtime logs retained 30 days; request logs aggregated without form-field payloads; access controlled via Vercel SSO.

3. Organisational measures

  • Least privilege — Vercel, Cloudflare, HubSpot, Resend all enforce role-based access. MFA required on every account.
  • Separation of duties — engagement engineers access only the customer environment contracted to them; cross-customer access requires explicit re-onboarding.
  • Background check & contract — every engineer with customer-environment access signs an NDA with security clauses appropriate to the engagement and the customer's regulator.
  • Secure development lifecycle — code review on every PR; CI runs lint, typecheck, build before merge; production deploys go through staging first; no direct-to-main deploys.
  • Customer environment access — VPN or jumphost on the customer's own infrastructure; no standing access to customer production from Identigy laptops; all access logged in the customer's IAM.

4. Subprocessors (this website)

Vendor Role · region Certifications
Vercel Inc. Hosting & serverless · EU edge + global SOC 2 Type II · ISO 27001 · GDPR DPA · EU-US Data Privacy Framework
Cloudflare, Inc. DNS · Turnstile · MTA-STS · global edge ISO 27001 · SOC 2 Type II · PCI DSS Level 1 · EU-US Data Privacy Framework
HubSpot, Inc. CRM · USA SOC 2 Type II · ISO 27001 · GDPR DPA · EU-US Data Privacy Framework via SCCs
Resend, Inc. Transactional email · USA SOC 2 Type II · GDPR DPA · SCCs
Google LLC Workspace email (info@) · EU ISO 27001 · ISO 27017 · ISO 27018 · SOC 2/3 · GDPR DPA

Customer engagements introduce additional subprocessors specific to the engagement (vendor support portals, file-transfer services etc.). These are listed in the engagement DPA on signing, not here.

5. Standards & certifications

  • GDPR (EU 2016/679) — record of processing activities maintained per Art. 30; DPA template aligned with EDPB guidance; subject-request workflow with 30-day response SLA.

6. Incident response

Suspected personal-data breach is triaged by the Identigy security contact within 24 hours. Where the breach is likely to result in a risk to data subjects, supervisory authority notification occurs within 72 hours of awareness per GDPR Art. 33; data subjects are informed without undue delay per Art. 34 when the risk is high.

Customer engagement breaches are escalated to the customer's incident response team first (they are the controller for the data being processed); Identigy supports forensic analysis and remediation as the processor under the engagement DPA.

7. Responsible disclosure

If you find a vulnerability in identigy.com or in any Identigy infrastructure, please report it. We treat security reports at the same priority as customer incidents.

  • Email → security@identigy.com
  • Response acknowledgement within 2 business days.
  • Initial assessment within 5 business days; fix or mitigation timeline in the assessment.
  • We do not operate a public bug-bounty programme. Researchers acting in good faith under this disclosure policy will not be pursued legally.

8. Contact

General data-protection enquiries: info@identigy.com. Security reports: security@identigy.com.

This Security Statement is a living document. Material changes are announced via the last updated field above. Customers under an active DPA receive a written notice for any change affecting their engagement.