Security
How Ithil protects your data, meets compliance requirements, and maintains trust.
Security Overview
Ithil is built with defense in depth. Every layer of the stack — from network to application to data — is designed with security as a primary constraint, not an afterthought. Our architecture undergoes annual SOC 2 Type II audits by independent third parties.
Data Protection
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Tenant data is isolated at the database schema level — not row-level filtering. Each tenant has its own schema, and no query executes without tenant context. Backups are encrypted and stored in geographically separated locations.
Compliance
Ithil maintains SOC 2 Type II certification. The platform is built to WCAG 2.1 AA standards, meeting Section 508 accessibility requirements. Our data model supports GASB 34 compliance for government asset reporting. Compliance is architectural — it is how the system works, not a feature toggle.
Infrastructure
Ithil runs on AWS in US regions (us-west-2). All infrastructure is deployed within isolated Virtual Private Clouds (VPCs). Database endpoints are never publicly accessible. Infrastructure is managed as code with automated security scanning on every deployment.
Access Control
Role-based access control (RBAC) governs all operations. Single sign-on (SSO) is supported via WorkOS. Multi-factor authentication (MFA) is available for all accounts. Sessions are managed with secure, HttpOnly cookies with configurable timeout policies.
Audit Trail
Every operation in Ithil generates an immutable event in the audit log. Work orders and inspections use append-only event stores that support point-in-time reconstruction. Authorization denials are logged. Data retention policies are configurable per tenant.
Incident Response
Ithil maintains a documented incident response plan. Security incidents are communicated to affected customers within 24 hours. Our security team monitors for threats continuously. Contact security@ithil.ai for any security concerns.
Responsible Disclosure
We welcome reports from security researchers. If you discover a vulnerability, please report it to security@ithil.ai. We commit to acknowledging reports within 48 hours and will work with you on remediation timelines. We do not pursue legal action against researchers who report vulnerabilities in good faith.
For security inquiries, contact security@ithil.ai.