Your data, protected.

Independently audited. Fully compliant. No compromises.

Audit My Data

ISO/IEC 27001:2022

Certified by InterCert. Independent, accredited assessment of our Information Security Management System.

US Entity
Sellestial, Inc.
Wilmington, Delaware · US
Registration
IC-IS-2605030
Issued
May 1, 2026
Valid through
April 30, 2029
Download certificate (PDF)
EU Entity
Sellestial d.o.o.
Ljubljana · Slovenia
Registration
IC-IS-2605031
Issued
May 1, 2026
Valid through
April 30, 2029
Download certificate (PDF)
Scope of certification

The Information Security Management System applies to our AI-powered cloud platform for CRM data integrity and management, with the support functions of IT, Human Resources, Administration and Legal.

Verify with InterCert

Compliance

ISO/IEC 27001:2022

Certified. Valid through April 30, 2029.

GDPR

Compliant. EU data protection.

CCPA

Compliant. California data rights.

SOC 2 Type II

In progress.

How We Protect Your Data

Encryption. TLS 1.3 in transit. AES-256 at rest. Keys managed via HashiCorp Vault. Annual key rotation.

Access Control. SSO required. MFA enforced on all critical systems. Role-based permissions. Least privilege enforced. Access revoked within 24 hours of departure.

Monitoring. 24/7 security monitoring. Real-time alerting. Comprehensive audit logging. Weekly log reviews.

Infrastructure. Multi-region cloud (DigitalOcean EU). Automatic failover. 99.99% uptime SLA.

Vulnerability Management

Scanning. External scans quarterly. Internal dependency scans monthly.

Penetration testing. Annual third-party penetration testing.

Patching. Critical vulnerabilities patched within 1 business day. High within 3 days.

Secure Development

Secure SDLC. Security and privacy considered at every development phase.

Code review. All changes require pull request review before production.

OWASP aligned. Coding practices follow OWASP Secure Coding Guidelines.

Automated testing. Static analysis and dependency scanning in CI/CD.

Business Continuity

Recovery objectives. RPO: Point-in-time. RTO: < 12 hours for core data.

Backups. Nightly full database backups + continuous write-ahead log archiving.

Redundancy. Multi-region backups. Automatic failover capabilities.

Testing. Annual BC/DR exercises. Quarterly backup restoration tests.

Data Residency

Primary processing. EU data centers (DigitalOcean EU).

International transfers. Standard Contractual Clauses (SCCs) for transfers outside EEA.

Sub-processors. Maintained list available on request.

Personnel Security

Background checks. All personnel screened before access is granted.

Training. Annual security awareness training required.

Confidentiality. NDAs signed by all employees and contractors.

Access revocation. Logical access revoked within 24 hours of departure.

Your Rights

You own your data.

  • Export anytime (standard format)
  • Delete on request
  • Full portability
  • Requests fulfilled within 30 days

Incident Response

Detection: < 5 minutes

Containment: < 1 hour

Initial triage: < 4 hours

Notification: < 24 hours (< 72h per DPA)

Documentation

Data Processing Addendum →

Privacy Policy →

Questions?

security@sellestial.com

Response within 24 hours.

24/7 for emergencies.

Audit My Data