Security & Trust

This page summarises how SPNT processes, stores, and protects customer data. It is intended as procurement collateral — a companion to the Data Processing Agreement provided at contract signing, and a reference for completing security questionnaires.

View Serpentine listing on the CSA STAR Registry

Serpentine is listed in the CSA STAR Registry at Level One: Self-Assessment. View the listing for the published CAIQ self-assessment against CCM v4.

Quick reference

Deployment model

SPNT is delivered as a SaaS platform on EU infrastructure. All production data — substrate records, telemetry events, OSINT signals, reasoning outputs — is stored in the EU by default.

For customers requiring stricter isolation or on-premises components, deployment variants are available:

• Isolated tenant — dedicated infrastructure, not shared with other customers. Available on Sovereign tier.
• Air-gapped deployment — full platform deployment in a customer-controlled network. Available on Sovereign tier; requires a professional services engagement.
• Hybrid — telemetry collectors in the customer network with the core platform on SPNT infrastructure. Available from Enterprise tier.

Data Processing Agreement

SPNT provides a signed DPA to all Enterprise and Sovereign tier customers as part of contract execution. The DPA documents SPNT's obligations as a data processor under GDPR and equivalent regulations.

For Commercial tier customers requiring a DPA for their own controller obligations, the DPA is available on written request.

The DPA covers:

• Processing purpose and duration — processing only for the contracted services; data deleted or returned within 30 days of contract termination.
• Categories of data subjects — customer employees and contractors, end users of customer applications, system accounts and service principals.
• Categories of personal data — identity data (email, account identifiers, display names from identity telemetry), audit log metadata (timestamps, IP addresses, action types), credential exposure indicators (k-anonymity hash prefixes only — raw email addresses never transmitted).
• Sub-processor management — current list available; 30-day advance notice on changes; objection process for additions.
• International data transfers — EU-region storage by default; SCCs or equivalent for any transfers; Enterprise and Sovereign customers can configure transfer restrictions that prevent non-EEA flows entirely.

HIPAA Business Associate Agreement

For customers with HIPAA obligations, SPNT provides a signed BAA at Enterprise and Sovereign tier, covering SPNT's handling of any ePHI that may be present in security telemetry.

Encryption

• At rest: AES-256 across all persistent storage — substrate, audit logs, telemetry archives, evidence packets.
• In transit: TLS 1.2 minimum, TLS 1.3 preferred. All inter-service communication is encrypted. All API endpoints enforce TLS.
• Credential handling: customer-provided scan credentials are stored in a dedicated vault with per-org scoping. Credentials are never persisted in findings, evidence chains, or any substrate record. Access is scoped per scan configuration.

Tenant isolation

SPNT enforces per-organisation data isolation at the data layer. Every query is filtered on the organisation identifier; cross-tenant data access is architecturally excluded. Tenant isolation invariants are tested in the platform's integration test suite.

Retention

Retention schedules are configurable per data class. Defaults are documented in the DPA. On contract termination, all customer data is deleted or returned within 30 days per the termination procedure.

Breach notification

SPNT commits to notifying affected customers within 72 hours of confirmed breach detection, per Article 33 GDPR requirements.

Trust documentation

For full Data Processing Agreement terms, sub-processor lists, and the active Trust Center, request access during pilot scoping or visit the published Trust Center linked from the footer.