seed governance
Security & Compliance

Your Data, Protected

SeedGovernance is built from the ground up with enterprise-grade security. We protect your governance data with the same rigor we help you apply to compliance.

Encryption Everywhere

All data is encrypted both at rest and in transit, ensuring your governance documentation is protected at every stage.

Encryption at Rest

All stored data is encrypted using AES-256 encryption via Azure Storage Service Encryption. Encryption keys are managed through Azure Key Vault with automatic rotation.

Encryption in Transit

All communications use TLS 1.2 or higher. We enforce HTTPS across all endpoints and apply HSTS headers to prevent downgrade attacks.

Encryption Standards

Data at Rest AES-256
Data in Transit TLS 1.2+
Key Management Azure Key Vault
Certificate Management Automated Rotation
API Security OAuth 2.0 + JWT

Built on Azure

SeedGovernance runs on Microsoft Azure, one of the world's most trusted cloud platforms, with infrastructure designed for high availability and regulatory compliance.

Compute Isolation

Each tenant's workloads run in isolated containers with dedicated resource limits and network segmentation.

Database Security

Azure SQL with transparent data encryption, automated backups, and geo-redundant disaster recovery.

Network Security

Azure Front Door with DDoS protection, Web Application Firewall, and private virtual network endpoints.

Monitoring & Alerting

Continuous monitoring with Azure Monitor and Application Insights. Real-time alerting on anomalies and incidents.

Automated Patching

Infrastructure and platform dependencies are patched automatically. Zero-downtime deployments ensure uninterrupted service.

Backup & Recovery

Automated daily backups with 30-day retention. Point-in-time recovery and cross-region replication available.

Access Controls & Authentication

Granular role-based access control ensures the right people have the right level of access.

Multi-Factor Authentication (MFA)

Enforce MFA across your organization. Supports TOTP authenticator apps and email-based verification.

Role-Based Access Control

Five distinct roles -- Owner, Admin, Consultant, Steward, and Viewer -- each with precisely scoped permissions.

Session Management

Configurable session timeouts, concurrent session limits, and the ability to revoke active sessions.

Single Sign-On (SSO)

Enterprise SSO via SAML 2.0 and OpenID Connect. Available on the Enterprise plan.

Audit Logging

Every action in SeedGovernance is logged with a complete audit trail.

What We Log

User authentication events (login, logout, MFA challenges)
Document creation, modification, and deletion
Role assignments and permission changes
Auditor link creation and access
Data exports and snapshot generation
Administrative actions (settings, billing, user management)
API access and integration events

Audit logs are retained for 90 days on Pro plans and 1 year on Enterprise plans.

Regional Data Residency

Choose where your data lives. SeedGovernance offers three deployment regions to help you meet local data residency and sovereignty requirements.

EU

Europe

Azure West Europe (Netherlands)

GDPR, UK GDPR, DORA, NIS2

ME

Middle East

Azure UAE North (Dubai)

NDMO, PDPL, NCA ECC, SAMA

US

United States

Azure East US (Virginia)

SOC 2, HIPAA, CCPA, CMMC

Data never leaves your chosen region. All processing, storage, and backups remain within the selected Azure region.

Coming Soon

SOC 2 Type II Certification

SeedGovernance is actively working toward SOC 2 Type II certification. We have implemented the controls and processes required by the Trust Services Criteria and are preparing for our initial audit engagement.

Controls Implemented

Complete

Type I Audit

In Progress

Type II Audit

Planned

Responsible Disclosure Policy

We take security vulnerabilities seriously and appreciate responsible disclosure.

Reporting a Vulnerability

If you discover a security vulnerability, please report it to security@seedgovernance.com. Include a detailed description of the vulnerability, steps to reproduce, and any supporting evidence.

Our Commitment

  • Acknowledge receipt within 24 hours
  • Provide an initial assessment within 72 hours
  • Keep you informed of remediation progress
  • Credit researchers in our security advisories (with permission)
  • Not pursue legal action against good-faith researchers

Scope

Our disclosure policy covers the SeedGovernance platform (app.seedgovernance.com), the marketing site (seedgovernance.com), and all associated APIs. Please do not test against production accounts belonging to other customers.

Have Security Questions?

Our team is happy to discuss our security practices in detail. Request a security review or ask about specific compliance requirements.

Contact Our Security Team View Data Processing Agreement