What you can verify today
simiriki sits between your Microsoft 365 tenant and the remediation engine that fixes misconfigurations on your behalf. That position raises the bar on platform security beyond a normal SaaS marketing site. Rather than point to certifications we don't yet hold, we publish a quarterly audit listing every security vector we check and the file in code that supports each result.
Read the full audit →
Audit highlights
- SQL injection: parameterized queries throughout, no string interpolation in queries.
- CSRF: cross-origin POST/PUT/DELETE rejected at the proxy layer.
- OAuth state: all callbacks compare state with crypto.timingSafeEqual.
- Token encryption at rest: Microsoft Graph and LinkedIn access tokens encrypted with AES-256-GCM before persistence.
- Stripe webhook signatures: verified with the official timing-safe API; idempotency backed by a Supabase event ledger.
- HMAC verification: every signature comparison uses crypto.timingSafeEqual; PR #656 closed the last two non-timing-safe paths.
The full table — twelve vectors with file-level evidence — is at /security-posture.
What we publish
- Quarterly re-audit of the full vector table; deltas published within 7 days.
- Reportable incidents under LFPDPPP Art. 20 published at /trust-center with timeline and non-recurrence plan, within legal deadlines.
- Sub-processor list with data location for every third-party service that touches customer data — see /trust-center and /dpa.
- Public security contact at security@simiriki.com with 48-business-hour initial response.