Built for the desks that read everything.
EDGAR Analyst is engineered for the security expectations of regulated buy-side and sell-side teams. Encryption everywhere, scoped access, immutable audit logs, and a SOC 2 Type II audit in progress.
How we think about security.
Encryption everywhere
All data in transit uses TLS 1.3. All data at rest is encrypted with AES-256 using keys managed in a hardware-backed KMS. Customer-managed keys are available on enterprise plans.
- Per-tenant encryption envelopes
- Annual key rotation
Identity & access
SSO via SAML 2.0 and OIDC. SCIM for user provisioning. Mandatory MFA for staff. Role-based access enforced through scoped service tokens.
- Okta, Entra ID, Google Workspace
- Just-in-time access for engineers
Tenant isolation
Customer Data is logically isolated per tenant with row-level controls and per-tenant encryption keys. Vector indices and document caches are scoped to the tenant they belong to.
- No cross-tenant query paths
- Independent retention policies
Monitoring & logging
Append-only audit logs, retained for 2 years. Centralized SIEM with 24/7 alerting on anomalous access. Quarterly log reviews and continuous control monitoring.
- Immutable audit trail
- 24/7 incident response on-call
AI & data handling
We do not train foundation models on Customer Data without consent. AI inference runs in tenant-scoped contexts. Inputs and outputs are logged and retained per your retention policy.
- Zero-day data retention with model providers
- No customer data in fine-tuning
Resilience
Multi-AZ infrastructure with automated failover. Daily encrypted backups with point-in-time recovery. Quarterly disaster recovery exercises and documented RTO/RPO targets.
- 99.9% availability target
- RPO 1 hour / RTO 4 hours
What we do, in detail.
| Domain | Control |
|---|---|
| Vendor management | All subprocessors reviewed for security posture, contractual obligations, and SOC 2 / ISO 27001 attestations. Current list available on request. |
| Vulnerability management | Dependency scanning on every build. Static analysis on every PR. Critical CVEs patched within 7 days; high within 30. Annual third-party penetration test. |
| Secure development | Mandatory code review. Production deploys require multi-party approval. Secrets stored in a hardware-backed vault, never in code or environment variables. |
| Endpoint security | Mandatory disk encryption, MDM, EDR on all employee devices. Quarterly access reviews. Automatic deprovisioning on termination. |
| Personnel | Background checks for all employees. Annual security training. Confidentiality and acceptable-use agreements signed at onboarding. |
| Incident response | Documented playbooks. 24/7 on-call. Customer notification commitments per the DPA. Post-incident reviews shared with affected customers. |
| Backup & recovery | Daily encrypted backups, geographically redundant. Point-in-time recovery up to 30 days. Quarterly restoration drills. |
Found something?
We welcome reports from security researchers and customers. We acknowledge reports within 24 hours and aim to triage within 3 business days. We do not pursue good-faith research that follows responsible disclosure norms.
Email security@edgaranalyst.com with details. PGP key available on request.
For SOC 2 reports, pen test summaries, and compliance documentation, contact trust@edgaranalyst.com. We will share under NDA.