Trust Center / Centro de Confianza

How We Protect Your Data

Last updated: March 26, 2026

Security Posture

Encryption in transit: TLS 1.2+ on all connections
Encryption at rest: AES-256-GCM for credentials, PostgreSQL with RLS
Authentication: HMAC-SHA256 tokens, JWT with revocation, Microsoft JWKS validation
Access control: Row-Level Security on 13 tables, per-request tenant isolation
Audit trail: Append-only audit ledger with SHA-256 hash chain (7-year retention)
Monitoring: UptimeRobot health checks, Sentry error tracking, circuit breakers on all external APIs

Audit Scoring Methodology

Our audit evaluates your Microsoft 365 tenant across 192 detection rules in 8 categories:

Identity & Access: MFA enforcement, conditional access, admin roles, stale accounts
Email Security: DMARC, SPF, DKIM, forwarding rules, anti-phishing
Data Protection: External sharing, DLP policies, sensitivity labels
Device Management: Compliance policies, managed vs unmanaged devices
Audit & Compliance: Logging, retention, regulatory alignment
Application Control: OAuth permissions, risky apps, consent policies
Infrastructure: License utilization, connector health
Operational Maturity: Process automation, approval workflows

Each rule is scored as CRITICAL, HIGH, MEDIUM, or LOW severity. Your maturity score (0-100) is calculated relative to your industry and company size — we don't penalize manual processes that are industry-standard.

At least 25% of recommendations address non-digital dimensions (process improvement, compliance, training). Reports include a methodology note explaining how your score was calculated.

Sub-processors

Your data is processed by simiriki and the following third-party services:

Stripe (USA) — Payment processing (PCI DSS Level 1)
Supabase (USA) — Database hosting
HubSpot (USA) — CRM and contact management
Resend (USA) — Transactional email delivery
Anthropic (USA) — AI analysis for audit report generation
Vercel (USA) — Website and dashboard hosting
Railway (USA) — API hosting and database
Microsoft Graph (USA) — M365 data access (read-only, with your consent)

Full details in our Data Processing Agreement.

Data Retention

M365 scan data: Processed in real-time, not stored after report generation
Diagnostic responses: 180 days, then auto-deleted
Client projects: 1 year (non-payment) or 5 years (payment, per SAT requirements)
Audit trail: 7 years (compliance requirement)
Newsletter subscribers: Until unsubscribe

Incident Response

In case of a security incident:

72-hour notification to affected clients (per LFPDPPP Art. 16)
Automated breach detection via 40 server-side detection rules
Incident logged in tamper-evident audit ledger
Post-incident report within 5 business days

Your Rights

Under LFPDPPP, you have the right to Access, Rectify, Cancel, or Object (ARCO) to the processing of your data. Contact us at jjdlr@simiriki.com with subject "ARCO Rights." We respond within 20 business days.

Policies & Documents

Environmental Sustainability

simiriki operates as a 100% cloud-native, paperless service. Our infrastructure choices prioritize energy efficiency:

Serverless compute — scales to zero when idle, no always-on servers consuming energy
Optimized polling — connector intervals set to 15-60 minutes (not continuous) to reduce API calls and compute cycles
Aggressive data cleanup — automated monthly retention policies prevent database bloat
Zero paper — all audit reports, contracts, and communications are digital
Remote-first — no physical offices, no commute emissions

Every process we automate for our clients eliminates repetitive manual tasks, reduces energy consumption from desktop workstations, and replaces paper-based compliance workflows with cloud-native alternatives.

Sub-Processors

simiriki uses the following third-party services to deliver our products. Each maintains its own data protection agreements and compliance certifications.

Service	Purpose	Data Location
Microsoft Azure	Identity, cloud services, Graph API	US / EU
Stripe	Payment processing	US
Supabase	Database, authentication, storage	US (AWS)
Resend	Transactional email delivery	US
Vercel	Web hosting, CDN, serverless compute	Global edge
Railway	API hosting, PostgreSQL, Redis	US
Anthropic	Advanced analysis technologies	US
HubSpot	CRM, contact management	US / EU

Data Processing Agreements (DPAs) are available upon request. Contact hola@simiriki.com.

Security Researchers

We welcome responsible disclosure of security vulnerabilities. See our Responsible Disclosure Policy for details. We acknowledge reports within 72 hours and provide safe harbor for good-faith researchers.

Cargando…

Security Posture

Encryption in transit: TLS 1.2+ on all connections

Encryption at rest: AES-256-GCM for credentials, PostgreSQL with RLS

Authentication: HMAC-SHA256 tokens, JWT with revocation, Microsoft JWKS validation

Access control: Row-Level Security on 13 tables, per-request tenant isolation

Audit trail: Append-only audit ledger with SHA-256 hash chain (7-year retention)

Monitoring: UptimeRobot health checks, Sentry error tracking, circuit breakers on all external APIs

Audit Scoring Methodology

Our audit evaluates your Microsoft 365 tenant across 192 detection rules in 8 categories:

Identity & Access: MFA enforcement, conditional access, admin roles, stale accounts

Email Security: DMARC, SPF, DKIM, forwarding rules, anti-phishing

Data Protection: External sharing, DLP policies, sensitivity labels

Device Management: Compliance policies, managed vs unmanaged devices

Audit & Compliance: Logging, retention, regulatory alignment

Application Control: OAuth permissions, risky apps, consent policies

Infrastructure: License utilization, connector health

Operational Maturity: Process automation, approval workflows

At least 25% of recommendations address non-digital dimensions (process improvement, compliance, training). Reports include a methodology note explaining how your score was calculated.

Sub-processors

Your data is processed by simiriki and the following third-party services:

Stripe (USA) — Payment processing (PCI DSS Level 1)

Supabase (USA) — Database hosting

HubSpot (USA) — CRM and contact management

Resend (USA) — Transactional email delivery

Anthropic (USA) — AI analysis for audit report generation

Vercel (USA) — Website and dashboard hosting

Railway (USA) — API hosting and database

Microsoft Graph (USA) — M365 data access (read-only, with your consent)

Environmental Sustainability

simiriki operates as a 100% cloud-native, paperless service. Our infrastructure choices prioritize energy efficiency:

Serverless compute — scales to zero when idle, no always-on servers consuming energy

Optimized polling — connector intervals set to 15-60 minutes (not continuous) to reduce API calls and compute cycles

Aggressive data cleanup — automated monthly retention policies prevent database bloat

Zero paper — all audit reports, contracts, and communications are digital

Remote-first — no physical offices, no commute emissions

Sub-Processors

simiriki uses the following third-party services to deliver our products. Each maintains its own data protection agreements and compliance certifications.

Service

Purpose

Data Location

Microsoft Azure

Identity, cloud services, Graph API

US / EU

Stripe

Payment processing

Supabase

Database, authentication, storage

US (AWS)

Resend

Transactional email delivery

Vercel

Web hosting, CDN, serverless compute

Global edge

Railway

API hosting, PostgreSQL, Redis

Anthropic

Advanced analysis technologies

HubSpot

CRM, contact management

US / EU

Data Processing Agreements (DPAs) are available upon request. Contact hola@simiriki.com.