Information security
Governance and oversight
Effective security requires more than technical controls—it demands organizational commitment, clear accountability, and strategic oversight. Our security governance framework ensures security considerations are integrated into business decisions at every level including our executive level.
We monitor what matters
Our security controls operate in real-time, not just during annual audits. Through automated monitoring and evidence collection, we maintain visibility into our security posture every day, enabling us to identify and address potential issues before they become problems.
We believe in transparency
Rather than hiding behind legal jargon, we proactively share information about our security practices, certifications, and compliance framework adherence. This trust center exists to answer your questions before you have to ask them.
Security is a partnership
While we implement robust controls to protect the infrastructure and data we manage, effective security requires collaboration. We provide the tools, documentation, and support you need to configure appropriate access controls and security settings for your environment.
Security program framework
Our information security program aligns with industry-recognized frameworks including ISO 27001 and NIST Cybersecurity Framework principles. This structured approach ensures comprehensive coverage across:
Infrastructure security
We design our systems with defense-in-depth architecture, implementing multiple layers of protection. Data is encrypted in transit and at rest using industry-standard protocols. Our infrastructure leverages enterprise cloud providers' physical security controls while we maintain responsibility for securing our application layer and customer data.
Access management
We operate on a principle of least privilege, ensuring individuals access only the resources necessary for their role. Multi-factor authentication protects access to sensitive systems. We regularly review and revoke access when no longer required.
Operational resilience
Our services are designed to remain available even when individual components fail. We distribute infrastructure across multiple availability zones, maintain regular backups, and test our disaster recovery procedures to ensure business continuity.
Secure development
Security is integrated throughout our development lifecycle. We conduct code reviews, implement automated security testing in our CI/CD pipeline, and engage third-party security experts to perform penetration testing and identify vulnerabilities before deployment.
Vendor risk management
We evaluate the security practices of third-party service providers before engagement and monitor them continuously. Our subprocessor list is available in this trust center, reflecting our commitment to transparency about who handles your data.
Compliance & certifications
We maintain certifications and attestations that demonstrate our adherence to rigorous security standards. These independent assessments validate our controls and provide assurance that we're doing what we say we're doing.
Current certifications and compliance frameworks include PCI, FFIEC, SOC 2 Type II. Upon request and subject to appropriate confidentiality agreements, we can provide detailed audit reports, penetration test summaries, and other compliance documentation. We continuously monitor regulatory developments to ensure our practices evolve with changing requirements across jurisdictions where we operate.
Your role in security
Effective security requires shared responsibility. While we secure our infrastructure and platform, you maintain control over:
User access management
Determining who within your organization should have access to our platform and what permissions they require
Data governance
Deciding what information to input, how long to retain it, and when to delete it
Configuration security
Enabling available security features such as single sign-on, IP allowlisting, and session controls
Incident reporting
Alerting us to suspicious activity or potential security concerns We've designed our platform with security features that help you fulfill these responsibilities effectively. Our documentation provides guidance on security best practices and recommendations
We've designed our platform with security features that help you fulfill these responsibilities effectively. Our documentation provides guidance on security best practices and recommendations.
Incident response & transparency
Despite robust preventive measures, no organization can guarantee perfect security. Our incident response program ensures we can detect, respond to, and communicate about security events appropriately.
If we identify a security incident that affects your data, we will notify affected customers in accordance with applicable legal requirements and our contractual commitments. We maintain relationships with leading security experts and can rapidly engage additional expertise when needed.
We publish updates about significant security events in this trust center to keep our customers informed.
Continuous improvement
Security is never finished. We continuously enhance our program through:
Regular third party audits, security assessments and penetration testing
Gathering customer feedback about security features and concerns
Internal security training and awareness programs
Monitoring emerging threats and adapting our defenses
Questions & documentation access
We've compiled documentation to address frequently asked questions, common requests and security inquiries. For more detailed information you can submit a request through your account manager.
Subscribe to updates
Issues or questions? Send us an e-mail at privacy@candescent.com
Legal disclaimers
The information provided in this trust center describes our current security practices and is subject to change. While we strive to maintain accurate information, this content is for informational purposes and does not constitute a contractual commitment. Specific security commitments are governed by your applicable service agreement. This trust center was last updated [January 21, 2026].