Security and privacy at Control+S

How we protect assessment data, use AI, manage subprocessors, and handle security reports.

Effective 2026-04-18

Encryption in transit

TLS 1.2 or higher, enforced at the edge

Encryption at rest

Managed by our infrastructure providers

MFA support

Authenticator-app 2FA for password accounts; SSO MFA via identity provider

Sandbox isolation

Short-lived, single-tenant AI sandboxes

Zero Data Retention on AI

Inference routes only to ZDR endpoints — no storage, no training

Least-privilege access

Role-based access at org and project level

Audit logs

Application, admin, and access activity logged for operational review

Adequacy + SCCs

Canada adequacy; SCCs for US transfers

Overview

Control+S handles assessment evidence, control decisions, recommendations, and remediation data. This page explains how we protect that data, how we use AI, which subprocessors support the service, and how to contact us about security.

Data we process

Control+S processes the following categories of customer and account data:

Customer-uploaded evidence and artifacts.
Control mappings, maturity scores, recommendations, gaps, and notes.
Account data, team membership, and authentication metadata.
Support communications.
Usage and audit metadata.

Do not upload production secrets, credentials, private keys, or regulated data unless your agreement and workspace configuration permit it.

Security practices

Our current technical and organizational measures include:

Encryption in transit — TLS 1.2 or higher for all traffic, enforced at the edge.
Encryption at rest — provided by our managed infrastructure (Convex, Cloudflare) using industry-standard algorithms.
Authentication — passwordless magic link, password, enterprise SSO (OIDC), and authenticator-app 2FA for password accounts.
Authorization — role-based access control at organization and project level; least-privilege access to production systems.
Sandbox isolation — AI analysis runs in short-lived, single-tenant cloud sandboxes with automatic cleanup.
Secrets and tokens — scoped, time-bounded callback tokens; no long-lived credentials issued to sandboxes.
Logging and monitoring — application, admin, and access activity logged for operational review.
Backups and recovery — managed by our hosting provider, rotated on a standard cycle.
Secure development — code review, automated dependency monitoring, and separation of development and production environments.
Vendor management — Subprocessors are contractually bound to equivalent security and privacy obligations (see below).

AI and model use

Your data is yours. Customers own the evidence, assessments, and other content they upload. We process it only to provide the Service.
No model training. Customer Content is not used to train generative AI models.
Zero Data Retention inference. AI inference is routed through OpenRouter with ZDR enforced, restricting traffic to endpoints where prompts and responses are not stored by the model provider.
Tenant isolation. Customer-specific assessment context is scoped to the relevant tenant and analysis job.
Sandbox execution. Evidence analysis runs in short-lived, single-tenant E2B sandboxes with scoped callback tokens.
Reviewer responsibility. AI suggestions are draft analysis. Control+S does not treat model output as final assessment evidence. Reviewers remain responsible for accepting mappings, ratings, gaps, and recommendations.

Data residency, export, deletion, and retention are described in the Privacy Policy.

Compliance status

Control+S is not currently certified under SOC 2, ISO 27001, or similar third-party audit frameworks. We maintain internal security controls and can provide security information for reasonable customer and prospective-customer diligence requests. We do not claim compliance that has not been independently verified.

If your organization has specific compliance requirements (for example, a Data Processing Agreement, subprocessor review, or security questionnaire), write to contact@controls.run and we will work with you.

Subprocessors

We use a small number of third-party services to operate Control+S. Each is listed below with its purpose and data location.

Service	Purpose	Data location	Added
Convex	Backend application and database hosting; file storage	United States (AWS us-east-1)	2026-04-18
Cloudflare	Edge routing, static asset hosting, DDoS protection, and transactional email delivery (magic links, invites, notifications)	Global edge network	2026-04-18
E2B	Isolated cloud sandboxes for AI-assisted evidence analysis	United States	2026-04-18
OpenRouter	AI inference layer routing to Zero Data Retention (ZDR) endpoints. Underlying model providers include OpenAI and Anthropic; prompts and responses are not stored or used for training.	United States	2026-04-21
Stripe	Payment processing and subscription billing	United States and Ireland	2026-04-18
Kong Konnect	Usage metering and billing subscription management	United States	2026-04-18

List last reviewed 2026-04-21.

Subprocessor change notices

Customers authorize the subprocessors listed above when they begin using the Service or accept our DPA. We keep this list current and record material additions or replacements in the change log below and in the public Trust updates RSS feed. Customers with an active Data Processing Agreement may object on reasonable grounds as described in the DPA.

Frequently asked questions

Where is my data stored?

Application data, evidence, and backups are stored in the United States (AWS us-east-1) by our backend provider, Convex. Static frontend assets are served from Cloudflare’s global edge network. Full subprocessor locations are listed in the Subprocessors section.

Do you use my data to train AI models?

No. Customer Content (evidence, assessments, uploads) is never used to train generative AI models. We route inference through OpenRouter with Zero Data Retention (ZDR) enforced at the account level, which restricts traffic to endpoints where the underlying model providers (including OpenAI and Anthropic) do not retain prompts or responses and do not use them for training. OpenRouter explains its ZDR controls and publishes the current list of ZDR-compliant endpoints at openrouter.ai/docs/guides/features/zdr.

What is your breach notification timeline?

If a breach affects Customer Personal Data, we notify affected Customers without undue delay and, where the GDPR applies, within 72 hours of becoming aware, to the extent feasible. Full terms are in the Data Processing Agreement.

Can I export my data? What happens if I cancel?

You can download supported reports and evidence files where those product features are available. Broader current-state workspace export is planned but not yet generally available. If you need reasonable assistance retrieving supported workspace data before cancellation or termination, contact us. We delete Customer Content from live systems within 90 days after termination, with backup copies overwritten on our standard cycle (typically within 30 days), unless law requires retention. Full retention schedule is in the Privacy Policy.

Do you offer a Data Processing Agreement (DPA)?

Yes. Our standalone DPA is designed to address Article 28-style processor terms, incorporates the EU Standard Contractual Clauses where applicable, and is accepted alongside the Terms of Service. A counter-signed copy is available on request to contact@controls.run.

Are you SOC 2 or ISO 27001 certified?

Not yet. We maintain internal security controls and can provide security information for reasonable customer and prospective-customer diligence requests. We do not claim compliance that has not been independently verified. If your procurement process requires certification, let us know at contact@controls.run.

How do you handle access control within my organization?

Role-based access at the organization and project level. Owners can invite, remove, and change roles for members. Authentication supports passwordless magic link, password, and enterprise SSO (OIDC). Password accounts can enable authenticator-app 2FA; SSO customers can enforce MFA through their identity provider.

How do I get a security questionnaire answered?

Send your questionnaire (SIG Lite, CAIQ, or custom) to contact@controls.run. We typically respond within five business days. For common enterprise questions, much of the information you need is already on this page.

Reporting a vulnerability

If you believe you have discovered a security vulnerability in Control+S, please report it to contact@controls.run. Do not publicly disclose the issue until we have had a reasonable opportunity to investigate and respond. We appreciate responsible disclosure and will credit researchers who prefer public acknowledgment. See our security.txt for the machine-readable contact.

Updates

We record material changes to our trust posture here, including subprocessor additions or removals, policy updates, and certification milestones.

2026-04-21
- Consolidated AI inference through OpenRouter with Zero Data Retention (ZDR) enforced at the account level. Underlying providers (OpenAI, Anthropic, and others on the ZDR list) do not retain prompts or responses, and do not use them for model training.
- Subprocessor change: removed Anthropic (direct API), added OpenRouter (inference layer).
2026-04-18
- Initial publication of Terms of Service, Privacy Policy, Data Processing Agreement, and Trust page.
- Published subprocessor list: Convex, Cloudflare, E2B, Anthropic, Stripe, Kong Konnect, Mailtrap.
- Published security.txt for vulnerability disclosure.

Contact

For security, privacy, trust, or compliance questions, email contact@controls.run. For postal correspondence: ShadeSec Inc., Toronto, Ontario, M6K 3N4, Canada.