Security Information for Your Clients
Last updated: June 1, 2026
For consultants: Share this page with your clients to demonstrate that their data is handled securely within CisoDeck. You can link to this page directly or reference it in your proposals and contracts.
What is CisoDeck?
CisoDeck is a professional platform used by your cybersecurity consultant to manage security assessments, track risks, and generate executive reports on your behalf. Your consultant enters information about your organization’s security posture, and the platform helps them deliver structured, professional security services.
How your data is protected
Tenant isolation
Your data is completely isolated from all other organizations on the platform. Each consultant’s account is separated at the database level using PostgreSQL Row Level Security (RLS). This means:
- No other consultant or their clients can access your data
- Isolation is enforced by the database engine, not just application code
- Automated cross-tenant attack tests verify isolation continuously
Encryption
- In transit: All data is encrypted using TLS 1.2+ between your consultant’s browser and our servers
- At rest: All database records and files are encrypted at rest using AES-256 (managed by our infrastructure providers)
Access control
- Only your consultant (and any team members they authorize) can access your data
- Authentication uses secure password hashing (bcrypt) and HTTP-only session cookies
- Multi-factor authentication is planned for a future release
Report security
- Generated reports (PDFs) are stored in private storage — no public URLs
- Report downloads use signed URLs that expire after 5 minutes
- Report snapshots are immutable — once generated, they cannot be altered
Audit trail
- All significant actions (assessments completed, reports generated, risk changes) are logged
- Audit logs are append-only and cannot be modified or deleted
- Your consultant can provide audit trail records on request
What data is stored
The following information about your organization may be stored by your consultant:
- Organization name, industry, and primary contact details
- Security assessment answers and compliance scores
- Risk register entries (identified risks, severities, owners, due dates)
- Remediation action items and their progress
- Generated executive security reports (PDF and data snapshots)
Your consultant is the data controller for your information. CisoDeck acts as a data processor. Your consultant determines what data to enter and how long to retain it.
Infrastructure
| Provider | Purpose | Compliance |
|---|---|---|
| Supabase | Database, authentication, file storage | SOC 2 Type II |
| Vercel | Application hosting | SOC 2 Type II |
| Stripe | Payment processing (consultant billing only) | PCI DSS Level 1 |
No client data is shared with payment processors. Stripe is used only for consultant subscription billing.
Data residency
Application data is currently hosted in the EU (Frankfurt, eu-central-1) region. Application hosting on Vercel uses edge locations closest to the user, with server-side processing in the EU. For specific data residency requirements, please speak with your consultant.
Data deletion
Your consultant can delete your organization’s data from the platform at any time. When deleted, all associated assessments, risks, actions, and reports are permanently removed within 30 days. You may also request deletion directly by contacting your consultant.
Questions
If you have security questions about how your data is handled, please contact your cybersecurity consultant directly. They can provide further detail about the security measures in place and facilitate any data requests.
For platform security concerns, you can contact us at [email protected].
For full platform security details, see our Security Overview. For data processing details, see our Privacy Policy.