What you can verify today
simiriki sits between your Microsoft 365 + Azure tenant and the remediation engine that fixes misconfigurations on your behalf. That position raises the bar on platform security beyond a normal SaaS marketing site. Rather than point to certifications we don't yet hold, we publish a quarterly audit listing every security vector we check and the file in code that supports each result.
Read the full audit →
Audit highlights
- SQL injection: parameterized queries throughout, no string interpolation in queries.
- CSRF: cross-origin POST/PUT/DELETE rejected at the proxy layer.
- OAuth state: all callbacks compare state with crypto.timingSafeEqual.
- Token encryption at rest: Microsoft Graph and LinkedIn access tokens encrypted with AES-256-GCM before persistence.
- Stripe webhook signatures: verified with the official timing-safe API; idempotency backed by the Azure PostgreSQL processed_webhooks ledger.
- HMAC verification: every signature comparison uses crypto.timingSafeEqual; PR #656 closed the last two non-timing-safe paths.
The full table — twelve vectors with file-level evidence — is at /security-posture.
What we publish
- Quarterly re-audit of the full vector table; deltas published within 7 days.
- Reportable incidents under LFPDPPP Art. 20 published at /trust-center with timeline and non-recurrence plan, within legal deadlines.
- Sub-processor list with data location for every third-party service that touches customer data — see /trust-center and /dpa.
- Public security contact at security@simiriki.com with 48-business-hour initial response.