Security

FractalScript processes regulated data across critical infrastructure, healthcare, financial services, and education. Every sector we serve demands rigorous data protection. This page describes exactly how we deliver it.

NERC CIP / BCSIHIPAA / ePHIGLBA \u00b7 23 NYCRR 500 / NPIFERPA / Student Records

Infrastructure

SOC 2 Type II

Supabase + AWS + Vercel

Encryption

AES-256

At rest and in transit

Data Residency

US Only

AWS US East, Virginia

Regulated Data Protection

How we classify and protect sensitive information across every vertical

Energy

BCSI

BES Cyber System Information — utility identity, vendor inventory, impact classifications, patch assessments, facility details, mitigation plans

Healthcare

ePHI

Electronic Protected Health Information — organization profile, device inventory, vulnerability assessments, workforce security records, incident documentation

Financial Services

NPI

Nonpublic Information — institution profile, system inventory, risk assessments, vendor due diligence records, incident response documentation

Education

Student Records

FERPA-protected data — institution profile, system inventory, compliance assessments, access review records, incident documentation

🔒

Automatic Classification

All regulated data elements are automatically classified upon entry based on your organization's sector. No manual tagging required.

🖥️

Visual Indicators

Screens containing regulated data display a classification banner and lock badge on all authenticated pages. Your team always knows what they're looking at.

📋

Data Inventory

Administrators can view exactly what regulated data FractalScript holds for their organization: vendor selections, system inventory, compliance records, assessment notes, and evidence packages.

🗑️

Data Disposal

Upon cancellation, 90-day export window, then permanent deletion via cryptographic erasure. Disposal certificate provided upon request.

Encryption

Multiple layers of encryption protect your data at every stage

In Transit

TLS 1.3

All connections between your browser and FractalScript servers. HSTS enforced with Strict-Transport-Security headers.

At Rest (Infrastructure)

AES-256

Database storage layer encryption via Supabase on AWS. Applies to all data across all verticals.

At Rest (Application)

AES-256 (infrastructure-level via Supabase; per-org column encryption planned)

Additional column-level encryption on regulated data fields: vendor inventory, facility names, system details, mitigation plans, assessment notes.

Key Management

Supabase Vault

Per-organization encryption keys (planned) stored in hardware-backed key management. Keys are never exposed to application code.

Backups

AES-256

All database backups encrypted at rest. Retained 30 days.

Tenant Isolation

Your data is completely separated from every other customer

🏢

PostgreSQL Row-Level Security

Every database table enforces RLS at the database engine level. Even if the application has a bug, one organization can never query another organization's data. This applies across and within verticals.

🔑

Per-Organization Encryption Keys

Regulated data columns are encrypted with a unique key per organization, stored in Supabase Vault. Even database administrators cannot read another org's protected data without their key.

👥

Role-Based Access Control

Three roles (Admin, Compliance, Analyst) with least-privilege permissions. Admins control user provisioning. No self-registration.

🛡️

Sector Isolation

Organizations are scoped to their regulatory vertical. Energy customers see CIP workflows. Healthcare customers see HIPAA workflows. No cross-sector data or configuration bleed.

Access Controls

Authentication, session management, and audit logging

🔐

Authentication

Supabase Auth with secure password hashing and built-in rate limiting. Multi-factor authentication available. SSO via SAML/OAuth on Enterprise tier.

⏱️

Session Management

Configurable session management (idle timeout controls planned), default 8 hours. Sessions automatically expire. Account lockout after repeated failed login attempts.

📝

Access Logging (In Development)

Every action touching regulated data is logged: logins, page views, status changes, notes, evidence generation, exports. Logs are append-only \u2014 no modification or deletion. Retained 3 years minimum.

🗓️

Role-Based Access Controls

Administrators can generate access review reports showing all users, roles, and last login dates. Exportable for compliance evidence across all frameworks.

Application Security

Defense-in-depth at the application layer

🛡️

Security Headers

Content Security Policy (hardening in progress) (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options DENY, X-Content-Type-Options nosniff, Permissions-Policy restricting camera, microphone, and geolocation.

🔍

Dependency Scanning

Automated via GitHub Dependabot on all repositories. Security patches prioritized for immediate deployment.

🚨

Secret Scanning

GitHub secret scanning enabled on all repositories to detect accidentally committed credentials.

🧪

Penetration Testing (planned for GA)

Penetration testing planned for general availability. Scope will include application covering application, API, and infrastructure layers.

Data Residency

All data stays in the United States

Database

Supabase (AWS)

US East, Virginia

SOC 2 Type II

Application

Vercel (AWS)

US East, Virginia

SOC 2 Type II

File Storage

Supabase Storage (S3)

US East, Virginia

SOC 2 Type II

No customer data is transferred to, processed in, or accessible from locations outside the United States. This applies to all verticals and all data classifications.

Zero Customer System Access

FractalScript never connects to your operational systems

✓ No connection to OT/ICS networks

✓ No agents or sensors deployed

✓ No access to EHR or clinical systems

✓ No access to core banking platforms

✓ No access to student information systems

✓ No inbound firewall rules required

✓ No VPN connectivity needed

✓ No vulnerability scanning of your assets

✓ No software installed on your systems

✓ Browser-only access via HTTPS

FractalScript is a SaaS threat intelligence and compliance platform. We aggregate public threat data, match it to your technology profile, and generate audit-ready evidence. We never ingest, store, or process patient records, financial transactions, student grades, or operational technology traffic.

Incident Response

What happens if something goes wrong

Within 24 hours

Customer's designated security contact notified of confirmed security incident affecting their data or access.

Within 48 hours

Preliminary assessment delivered: nature of incident, data categories affected, estimated scope, and containment actions taken.

Within 5 business days

Detailed incident report: root cause analysis, complete scope, remediation actions, and evidence preservation documentation.

Ongoing

Full cooperation with your incident response plan and any regulatory reporting obligations (E-ISAC, HHS/OCR, NY DFS, Department of Education, or applicable regulator).

Certifications & Compliance

Third-party validated security controls and compliance documentation

SOC 2 Type II

Current

Supabase, AWS, and Vercel all hold current SOC 2 Type II certifications covering database, compute, storage, and CDN services.

FractalScript SOC 2

In Progress

FractalScript is pursuing its own SOC 2 Type I certification for application-layer security controls, data handling, and access management. Required for financial services vertical.

Data Processing Agreement (draft, pending legal review)

Available

Comprehensive DPA covering data handling, subprocessor obligations, breach notification, and disposal procedures. Applicable across all verticals.

Security Profile

Available

Pre-formatted vendor security assessment document answering common SIG, CAIQ, and HECVAT questions. Available for procurement and compliance teams upon request.

Sector-Specific Documentation

Energy

CIP-011 Compliance Statement

BCSI protection controls for NERC CIP evidence packages

Energy

CIP-013 Supply Chain Profile

Vendor risk management assessment for supply chain compliance

Healthcare

BAA Eligibility Statement

Business Associate Agreement readiness and ePHI handling controls

Healthcare

HIPAA Security Rule Mapping

Administrative, physical, and technical safeguard alignment

Financial

GLBA Safeguards Documentation

Nine-element safeguards program alignment and evidence support

Education

FERPA Compliance Overview

Student record protection controls and institutional safeguards

Energy documents available now. Healthcare, financial services, and education documents available upon vertical launch. Contact us for details.

Responsible Disclosure

📧

Report a Vulnerability

Report security vulnerabilities to security@fractalscript.io. We acknowledge within 24 hours and provide status updates as we investigate.

Questions about our security?

We are happy to discuss our security practices, provide documentation, or complete your vendor assessment questionnaire.

Contact Security Team View Pricing