Legal

Security

Last updated: May 18, 2026

On this page

  1. Our approach
  2. Encryption
  3. Infrastructure
  4. Access controls
  5. Monitoring & response
  6. Secure SDLC
  7. Compliance
  8. Responsible disclosure
  9. Contact us

1. Our approach

Security at Allmire is built in, not bolted on. We protect customer data with defense-in-depth controls across our infrastructure, application, people, and processes. This page summarizes the safeguards we operate; the controls themselves are continuously reviewed and refined.

2. Encryption

  • In transit: TLS 1.2+ for all public endpoints; certificate pinning on mobile clients.
  • At rest: AES-256 encryption for databases, object storage, and backups.
  • Key management: Keys managed by a hardened KMS with rotation, audit logging, and least-privilege access.

3. Infrastructure

  • Hosted in tier-1 cloud regions with SOC 2 / ISO 27001 / HIPAA certified data centers
  • Logical network segmentation between production, staging, and corporate environments
  • Web application firewall (WAF) and DDoS protection at the edge
  • Immutable infrastructure deployed via CI/CD with reproducible builds

4. Access controls

  • Single sign-on (SSO) with SAML/OIDC available for customer admins
  • Role-based access controls (RBAC) at the application layer
  • Multi-factor authentication required for all employee accounts
  • Just-in-time elevation for production access with mandatory audit logging
  • Quarterly access reviews and immediate revocation on role change or offboarding

5. Monitoring & incident response

  • 24/7 monitoring and alerting via a centralized SIEM
  • Intrusion detection on network and host layers
  • Documented incident response playbooks with regular tabletop exercises
  • Severity-based escalation and customer notification commitments

6. Secure SDLC

  • Mandatory code review and automated static analysis on every change
  • Dependency scanning and software bill of materials (SBOM) generation
  • Annual third-party penetration testing
  • Bug bounty program for external researchers

7. Compliance

Allmire's controls map to the requirements of:

  • HIPAA (see HIPAA Compliance)
  • SOC 2 Type II
  • PCI DSS for the payment surface
  • GDPR / CCPA for applicable personal data

Customers under NDA can request our latest compliance reports by emailing security@allmire.com.

8. Responsible disclosure

If you believe you've found a security vulnerability in our Services, please report it to security@allmire.com. We commit to acknowledging valid reports promptly and working with researchers in good faith. Please do not disclose the issue publicly until we've had reasonable time to investigate and remediate.

9. Contact us

Security questions, reports, or report requests: security@allmire.com.