Trust Center / Centro de Confianza

How We Protect Your Data

Last updated: May 22, 2026

Quarterly Security Audit · Auditoría Trimestral

Twelve audited vectors with file-level evidence — SQL injection, SSRF, open redirects, CSRF, OAuth state, webhook signatures, HMAC, encryption at rest, CSP. Public, reproducible, refreshed quarterly.

Read the 2026-05-06 audit →

Security Posture

Encryption in transit: TLS 1.2+ on all connections
Encryption at rest: AES-256-GCM for credentials, PostgreSQL with RLS
Authentication: HMAC-SHA256 tokens, JWT with revocation, Microsoft JWKS validation
Access control: PostgreSQL Row-Level Security on every multi-tenant table (33+ tables), per-request tenant isolation
Audit trail: Append-only audit ledger with SHA-256 hash chain, daily integrity verification cron, up to 7-year retention (configurable per org; 365-day default)
Monitoring: Synthetic uptime probes every minute against each service (web, dashboard, API) feeding the public status page at status.simiriki.com; Sentry for error tracking; circuit breakers on external API calls (Microsoft Graph, Stripe, Anthropic)

Audit Scoring Methodology

Our audit evaluates your Microsoft 365 + Azure estate across 197 detection rules (151 via Microsoft Graph + 46 via Azure Resource Manager) in 8 categories:

Identity & Access: MFA enforcement, conditional access, admin roles, stale accounts
Email Security: DMARC, SPF, DKIM, forwarding rules, anti-phishing
Data Protection: External sharing, DLP policies, sensitivity labels
Device Management: Compliance policies, managed vs unmanaged devices
Audit & Compliance: Logging, retention, regulatory alignment
Application Control: OAuth permissions, risky apps, consent policies
Infrastructure: License utilization, connector health
Operational Maturity: Process automation, approval workflows

Each rule is scored as CRITICAL, HIGH, MEDIUM, or LOW severity. Your maturity score (0-100) is calculated relative to your industry and company size — we don't penalize manual processes that are industry-standard.

At least 25% of recommendations address non-digital dimensions (process improvement, compliance, training). Reports include a methodology note explaining how your score was calculated.

Sub-processors

Your data is processed by simiriki and the following third-party services:

Microsoft Azure (USA) — Primary infrastructure (Container Apps, Postgres, Storage, Key Vault, Front Door), East US 2 region
Microsoft 365 / Graph (USA) — Customer M365 OAuth (read-only) during scans + Graph SendMail for transactional email
Stripe (USA) — Payment processing (PCI DSS Level 1)
Cloudflare (USA) — Authoritative DNS resolution for simiriki.com
Anthropic (USA) — Claude models for monthly memo generation and executive analysis (under explicit client consent)
Upstash (USA) — Redis for rate limiting, cron deduplication, and heartbeat tracking (no PII; ephemeral counters and timestamps only)

Full details in our Data Processing Agreement.

Data Retention

M365 scan data: Processed in real-time, not stored after report generation
Diagnostic responses: 180 days, then auto-deleted
Client projects: 1 year (non-payment) or 5 years (payment, per SAT requirements)
Audit trail: 7 years (compliance requirement)
Newsletter subscribers: Until unsubscribe

Incident Response

In case of a security incident:

72-hour notification to affected clients (per LFPDPPP Art. 16)
Automated breach detection via 197 server-side detection rules
Incident logged in tamper-evident audit ledger
Post-incident report within 5 business days

Your Rights

Under LFPDPPP, you have the right to Access, Rectify, Cancel, or Object (ARCO) to the processing of your data. Contact us at jjdlr@simiriki.com with subject "ARCO Rights." We respond within 20 business days.

Policies & Documents

Environmental Sustainability

simiriki operates as a 100% cloud-native, paperless service. Our infrastructure choices prioritize energy efficiency:

Serverless compute — scales to zero when idle, no always-on servers consuming energy
Optimized polling — connector intervals set to 15-60 minutes (not continuous) to reduce API calls and compute cycles
Aggressive data cleanup — automated monthly retention policies prevent database bloat
Zero paper — all audit reports, contracts, and communications are digital
Remote-first — no physical offices, no commute emissions

Every process we automate for our clients eliminates repetitive manual tasks, reduces energy consumption from desktop workstations, and replaces paper-based compliance workflows with cloud-native alternatives.

Security Researchers

We welcome responsible disclosure of security vulnerabilities. See our Responsible Disclosure Policy for details. We acknowledge reports within 72 hours and provide safe harbor for good-faith researchers.

Cargando…

Security Posture

Encryption in transit: TLS 1.2+ on all connections

Encryption at rest: AES-256-GCM for credentials, PostgreSQL with RLS

Authentication: HMAC-SHA256 tokens, JWT with revocation, Microsoft JWKS validation

Access control: PostgreSQL Row-Level Security on every multi-tenant table (33+ tables), per-request tenant isolation

Audit trail: Append-only audit ledger with SHA-256 hash chain, daily integrity verification cron, up to 7-year retention (configurable per org; 365-day default)

Monitoring: Synthetic uptime probes every minute against each service (web, dashboard, API) feeding the public status page at status.simiriki.com; Sentry for error tracking; circuit breakers on external API calls (Microsoft Graph, Stripe, Anthropic)

Audit Scoring Methodology

Our audit evaluates your Microsoft 365 + Azure estate across 197 detection rules (151 via Microsoft Graph + 46 via Azure Resource Manager) in 8 categories:

Identity & Access: MFA enforcement, conditional access, admin roles, stale accounts

Email Security: DMARC, SPF, DKIM, forwarding rules, anti-phishing

Data Protection: External sharing, DLP policies, sensitivity labels

Device Management: Compliance policies, managed vs unmanaged devices

Audit & Compliance: Logging, retention, regulatory alignment

Application Control: OAuth permissions, risky apps, consent policies

Infrastructure: License utilization, connector health

Operational Maturity: Process automation, approval workflows

At least 25% of recommendations address non-digital dimensions (process improvement, compliance, training). Reports include a methodology note explaining how your score was calculated.

Sub-processors

Your data is processed by simiriki and the following third-party services:

Microsoft Azure (USA) — Primary infrastructure (Container Apps, Postgres, Storage, Key Vault, Front Door), East US 2 region

Microsoft 365 / Graph (USA) — Customer M365 OAuth (read-only) during scans + Graph SendMail for transactional email

Stripe (USA) — Payment processing (PCI DSS Level 1)

Cloudflare (USA) — Authoritative DNS resolution for simiriki.com

Anthropic (USA) — Claude models for monthly memo generation and executive analysis (under explicit client consent)

Upstash (USA) — Redis for rate limiting, cron deduplication, and heartbeat tracking (no PII; ephemeral counters and timestamps only)

Environmental Sustainability

simiriki operates as a 100% cloud-native, paperless service. Our infrastructure choices prioritize energy efficiency:

Serverless compute — scales to zero when idle, no always-on servers consuming energy

Optimized polling — connector intervals set to 15-60 minutes (not continuous) to reduce API calls and compute cycles

Aggressive data cleanup — automated monthly retention policies prevent database bloat

Zero paper — all audit reports, contracts, and communications are digital

Remote-first — no physical offices, no commute emissions