Security Policy

Senthorion is designed and operated with security as a primary concern. We apply technical and organizational measures appropriate to the sensitivity of the data we handle and the risks our customers face.

We continuously review our practices and improve them as the platform and threat landscape evolve.

Access to the platform requires authenticated accounts. We support modern authentication practices, including multi-factor authentication, and apply controls designed to mitigate credential abuse and brute-force attempts.

Senthorion is multi-tenant by design. Customer data is logically separated and accessible only to authorized users within the owning organization, subject to the role-based access controls that the organization configures.

Traffic to and from Senthorion is protected with industry-standard transport encryption. Customer data at rest is protected using encryption provided by our infrastructure providers.

We follow least-privilege principles for internal access, manage secrets through dedicated configuration channels, and apply logging and monitoring suited to detecting and investigating unusual activity.

We retain data only for as long as necessary to operate the service and meet our legal and contractual obligations. See the Privacy Policy for additional information.

When AI-assisted features are used, we apply safeguards designed to reduce the exposure of sensitive information before requests are sent to AI providers, and we avoid using customer data to train third-party models without authorization.

Senthorion includes in-product compliance workflows aligned to recognized industry frameworks. Formal external attestations are pursued through staged audit programs and announced when achieved.

To report a security issue, contact security@senthorion.com with reproduction details, scope, and impact.

We aim to acknowledge reports within 5 business days and coordinate remediation updates. Good-faith testing is expected to avoid privacy violations, service disruption, or data destruction. Please do not access data that is not your own and do not perform denial-of-service or social-engineering tests.

We investigate suspected incidents using internal procedures. If an incident materially affects customer data, we notify impacted parties consistent with our legal and contractual obligations.