EGElitesgenfor Institutions
Trust · Security

Security built for the teams who read MSAs for a living.

SOC 2 Type II is in progress. Annual third-party pen tests. SSO-first. Field-level encryption for sensitive data. An audit trail your security team will recognize from day one.

Request audit reportsBack to Trust
At a glance

Posture, named and dated.

We do not ship badges we do not hold. Status is current, scope is explicit, expirations are published on the certifications page.

SOC 2 Type IIIn progress, ETA 2026 Q3
HIPAA alignedBAA available on request
FERPA alignedK-12 and higher-ed deployments
GDPR readyEU data residency option
State privacy lawsCCPA, NY SHIELD, TX SB8, VA CDPA
ISO 27001Planned, 2027

See /trust/certificationsfor each badge's scope, validity window, and proof artifact.

Practices

Five categories, every control named.

Short list. Direct language. Nothing dressed up with vocabulary that collapses under a follow-up question.

Identity and access

  • SSO mandatory on Enterprise (SAML 2.0, OIDC)
  • SCIM 2.0 for directory sync
  • Least-privilege IAM with quarterly review
  • MFA enforced on every administrative role

Data protection

  • Encryption in transit (TLS 1.3)
  • Encryption at rest (AES-256)
  • Field-level encryption for sensitive PII
  • Customer-managed keys (CMK) available Enterprise

Infrastructure

  • Hardened Linux images, immutable deploys
  • Network segmentation, private VPC by default
  • WAF, rate-limiting, bot mitigation at edge
  • Continuous vulnerability scanning (SAST, DAST, SCA)

Operations

  • 24/7 on-call rotation with documented runbooks
  • RTO: 4 hours. RPO: 1 hour
  • Disaster recovery tested twice a year
  • Backup restoration validated monthly

People

  • Background checks for all employees with production access
  • Annual security awareness training
  • Quarterly access reviews with documented sign-off
  • Offboarding within 4 hours of termination
Incident history

What has happened, honestly.

No production security incidents reported to date.

This page updates within 14 days of any reportable event. We publish post-mortems for customer-impacting incidents within 60 days.

Responsible disclosure

Report a vulnerability.

Researchers, customers, and third parties are welcome to submit security findings. We respond within two business days. We will not pursue legal action against good-faith research that follows reasonable disclosure practices.

Email
security@elitesgen.com
PGP key
Available on request. Reply within one business day.
Audit reports

Under NDA, on request.

Draft SOC 2 Type II controls, the most recent third-party penetration test report, and internal audit artifacts are available to prospective and current customers under mutual NDA. Your security team receives the raw document, not a summary slide.

Request reports
Foundation-backed

Elitesgen, Inc. is wholly owned by Elites Generation Foundation, a 501(c)(3) whose charter legally forbids behavioral advertising and the sale of individual user data.

Visit elitesgen.org
Next step

Bring your security team to a working session.

We do architecture deep dives, threat modeling, and diligence reviews on request. No deck required.

Book a demoEmail security@