Product · Security

Security built for the people who read MSAs for a living.

SOC 2 Type II (in progress, ETA 2026 Q3). Annual third-party pen tests. SSO-first. Field-level encryption. An audit trail your security team will recognize.

Posture at a glance

SOC 2 Type IIIn progress, ETA 2026 Q3

HIPAA alignedBAA available on request

FERPA alignedK-12 and higher-ed deployments

GDPR readyEU data residency option

State privacy lawsCCPA, NY SHIELD, TX SB8, VA CDPA

ISO 27001Planned, 2027

Security practices

Five categories. Documented controls. No hand-waving.

Each category maps to standard B2B security reviews. If your team runs a CAIQ or SIG, these are the answers before you ask.

Identity and access

SSO mandatory on Enterprise (SAML 2.0, OIDC)

SCIM 2.0 for directory sync

Least-privilege IAM with quarterly review

MFA enforced on every administrative role

Data protection

Encryption in transit (TLS 1.3)

Encryption at rest (AES-256)

Field-level encryption for sensitive PII

Customer-managed keys (CMK) available Enterprise

Infrastructure

Hardened Linux images, immutable deploys

Network segmentation, private VPC by default

WAF, rate-limiting, bot mitigation at edge

Continuous vulnerability scanning (SAST, DAST, SCA)

Operations

24/7 on-call rotation with documented runbooks

RTO: 4 hours. RPO: 1 hour

Disaster recovery tested twice a year

Backup restoration validated monthly

People

Background checks for all employees with production access

Annual security awareness training

Quarterly access reviews with documented sign-off

Offboarding within 4 hours of termination

Subprocessors

The names behind the infrastructure.

A short list of the primary subprocessors you'll see on any DPA. The full list, with regions and specific roles, lives on the Data Processing page.

See the full subprocessor list

Amazon Web Services
Primary infrastructure (US regions)
US
Google Cloud Platform
Secondary compute, data warehouse
US / EU
Cloudflare
Edge, DDoS, WAF
Global
Datadog
Application observability
US
Sentry
Error monitoring
US

Incident history

Kept honest, published on a clock.

We treat this page the way a bank treats a material event filing. Every reportable event appears here within 14 days. Post-mortems publish within 60.

Current state

No production security incidents reported to date.

This page updates within 14 days of any reportable event. We publish post-mortems for customer-impacting incidents within 60 days.

DisclosureWithin 14 daysEvery customer-impacting or reportable security event.

Post-mortemWithin 60 daysRoot cause, remediation, and commitments to change.

Affected customersDirect noticePrimary contact, security contact, and legal contact on file.

Responsible disclosure

Found something we should know about?

We welcome responsible disclosure from security researchers and customer security teams. Report privately; we respond within one business day, acknowledge public credit where appropriate, and do not threaten legal action for good-faith research.

security@elitesgen.com

Foundation-backed

Elitesgen, Inc. is wholly owned by Elites Generation Foundation, a 501(c)(3) whose charter legally forbids behavioral advertising and the sale of individual user data.

Visit elitesgen.org

Security review

Send your security questionnaire. We will answer it.

CAIQ, SIG, or custom. We reply with documentation, not evasion. If we do not yet have a control in place, we say so and tell you when we will.

Book a security review See the trust posture