Security & Trust

The data in your account is your own preparation material, not the federal CUI you are protecting:

• Assessment working data — per-requirement findings, objective answers, computed score/status/validity, POA&M plan text, and CAGE/scope details.
• Account & organization identity — your name and work email, and organization membership. We never see or store passwords.
• Optional evidence files you upload per requirement, each gated by a mandatory, permanent “contains no CUI” attestation.

We do not collect CUI, and the platform is not authorized or hardened to hold it.

Your data is encrypted both in transit (HTTPS/TLS for all traffic) and at rest. Application secrets are held in a managed secrets vault and are never stored in our source code. Because sign-in is handled by a trusted identity provider, we never see or store your password.

The application is multi-tenant: every record is owned by an organization, and every database query is scoped to the organization you are currently acting in. Access to any individual assessment is verified on the server for each request — a request for a record outside your organization returns “not found,” never another tenant's data. Authorization is enforced in the backend, never trusted from the browser, and our automated tests include cross-tenant access and organization-isolation checks that run on every change.

Sign-in is handled through a trusted single sign-on provider — this is the app's own authentication and confers no SPRS access. Within an organization, access is role-based (Owner, Admin, Member), and only Owners and Admins can manage teammates. Plan entitlements are enforced on the server for every protected action, not merely hidden in the interface. Platform administration is restricted to designated SentryNexus staff.

Server-side activity and errors are logged, monitored, and alerted on, with an uptime check on the production site so operational problems surface quickly. Administrative access to our infrastructure is logged by our cloud provider.

Our managed cloud database is backed up automatically, with point-in-time recovery so we can restore to a moment before an incident. The application runs on managed, auto-scaling cloud infrastructure.

You can delete individual assessments and uploaded evidence from within the application at any time. To delete your entire account and organization — and all associated preparation data — email admin@sentrynexus.io from your account address. We action verified deletion requests promptly, typically within 30 days, and removal includes copies in backups as they cycle out. We retain data only as long as your account is active or as needed to provide the service.

We rely on a small set of vetted providers to operate the service. We do not sell your data, and we do not serve third-party advertising.

This list reflects the current production service. We will update this page before adding a subprocessor that handles your data.

We welcome reports from security researchers. If you believe you've found a vulnerability, email admin@sentrynexus.io with enough detail to reproduce it. Please act in good faith: give us a reasonable opportunity to remediate before public disclosure, avoid privacy violations and data destruction, and don't run automated scanning that degrades the service for others. We will not pursue or support legal action against researchers who follow this guidance. We do not currently operate a paid bug-bounty program, but we're grateful for responsible reports and will acknowledge them.