top of page

Early Access — Building in public

​Security & Compliance

​We're designing enterprise security from day one, not bolting it on later. Review our architecture, security posture, and roadmap to SOC 2.

Transparent security posture, third-party validation, and direct access to our security team.

Deep-dive calls

Architecture walkthrough with founding team

Pentest results

Bishop Fox report (Feb 2025)

Direct access

security@shiftfocus.com

Security-first from day one

We're building enterprise trust before launch. Here's our current security posture and roadmap to certification.

Infrastructure & Operations

Live in production

Hosted on AWS GovCloud (US)

Inheriting AWS SOC 2, ISO 27001, and FedRAMP controls

TLS 1.3 enforced

Perfect Forward Secrecy enabled, A+ SSL Labs rating

AES-256-GCM at rest

AWS KMS-managed keys, automated rotation

Zero-trust network architecture

No internal trust boundaries, all access verified

Compliance & Certification

In progress (Q2 2025)

SOC 2 Type I audit

Scheduled with Prescient Assurance, report available June 2025

External penetration testing

Quarterly pentests by Bishop Fox, first report Feb 2025

GDPR compliance framework

DPA templates reviewed by Morrison & Foerster

Security & Infrastructure

Engineering team with deep systems and security expertise

Shiva Ganesh

Systems & Security Architecture

Systems software architect designing secure infrastructure, zero-trust architecture, and cloud security controls.

Vinoth Kumar

Security Advisor & Researcher

Certified security researcher and bug bounty hunter. Conducts penetration testing and vulnerability assessments.

14 years

Combined security experience

$0 raised

Bootstrapped, security investments first

Open door

Schedule architecture review anytime

At-a-glance controls

SSO / SCIM

SAML/OIDC + automated provisioning

RBAC

Role-based access by org/team

Audit Logs

Admin + critical object trail

Encryption

In transit + at rest

Data Handling

Retention + deletion controls

Vendor Risk

Packet, DPA, questionnaires

Identity & Access

Enterprise-grade identity management with SSO, SCIM provisioning, and granular role-based access control.

Single Sign-On (SSO)

SAML 2.0

OIDC

Okta / Azure AD / Google Workspace

icons (11).png

Enforce SSO

SCIM Provisioning

Automated user provisioning & deprovisioning

Group mapping from IdP

Role-Based Access Control (RBAC)

Organization / workspace / team-level roles

Admin controls for permissions management

Auditability & Governance

Complete audit trails and change history for compliance and security review requirements.

Audit Logs cover

Sign-in activity

Admin actions

Permission changes

OKR ownership/status changes

Change History includes

Who / what / when

Before/after values

Export for compliance

Evidence Export

Export

Updated permissions

2:14PM

admin@company.com

Modified OKR status

1.47PM

jane@company.com

Added team member

11:23PM

admin@company.com

Sign-in from 192.168.1.1

10:25AM

john@company.com

Encryption & Application Security

Multi-layer security approach protecting data in transit and at rest.

Encryption

TLS 1.2+ for data in transit

AES-256 encryption at rest

Encrypted database backups

Secure operations

Regular vulnerability scanning & management

Secure secrets management

Environment separation (prod/staging/dev)

Automated backups + recovery testing

Data Handling

Transparent data practices with customer control over retention, export, and deletion.

What we store

Goals/OKRs, check-ins, tasks

Comments & collaboration data

Configuration & permissions

Audit logs

What we don't need

HR performance reviews

Sensitive employee data (unless customer chooses)

Payment information

Controls

Self-service data export

Configurable retention policies

Data deletion workflows

Subprocessor list in packet

Data flow diagram

Vendor Risk Readiness

Everything your procurement and security teams need to complete vendor risk assessment quickly.

Vendor Risk Packet

Complete documentation package for security review

53.png

Security questionnaire support (SIG/CAIQ/custom)

53.png

DPA + security addendum templates

53.png

Architecture + data flow documentation

53.png

Subprocessor list + change notification process

53.png

Access-control evidence (SSO/SCIM/audit logs)

53.png

Compliance certifications (available upon request)

Request Security Packet

Company

Your company name

Work Email

Timeline for Review

Select timeline

Request Security Packet

Typically delivered within 24 hours

Incident Response

Structured incident management process with clear customer communication protocols.

Incident response process

Documented procedures for detection, containment, and resolution

Customer notification

Timely communication protocols for security-impacting events

Post-incident review

Root cause analysis and remediation tracking

View incident response overview

Security FAQ

Common questions from security and procurement teams

Search security questions...

Can we enforce SSO?

Do you support SCIM?

Do you provide audit logs?

Can you complete vendor security review?

Data retention & deletion controls?

Subprocessor transparency?

Security review ready in one call.

Our security team will walk through controls, answer questions, and provide documentation.

We'll bring the architecture, controls, and evidence.

bottom of page