# SigmaShake — Security Program

> Public security posture for SigmaShake. Twenty controls across identity, cryptography, data protection, application hardening, and data-subject rights. Quarterly AI-assisted code-level penetration testing and a SOC 2 Type II observation window currently open (2026-05-18 → 2026-11-17).

## Machine-readable

- [Compliance manifest (canonical JSON)](https://trust.sigmashake.com/.well-known/compliance.json)
- [Trust Center summary (llms.txt)](https://trust.sigmashake.com/llms.txt)
- [Sub-processor feed](https://compliance.sigmashake.com/api/v1/sub-processors.json)
- [Verification key](https://compliance.sigmashake.com/.well-known/compliance-pubkey)
- [Security disclosure (RFC 9116)](https://security.sigmashake.com/.well-known/security.txt)
- [Security advisories (RSS)](https://security.sigmashake.com/advisories.xml)
- [Security advisories (JSON)](https://security.sigmashake.com/advisories.json)

## Security advisories

SigmaShake discloses CVEs and security events as numbered advisories (SSA-YYYY-NNNN). Customers are notified by email; every account is enrolled automatically at signup, and fleet/enterprise administrators are always notified.

- [Advisory index](https://security.sigmashake.com/advisories)
- [Advisory RSS feed](https://security.sigmashake.com/advisories.xml)
- [Advisory JSON feed](https://security.sigmashake.com/advisories.json)
- [Subscribe by email](https://security.sigmashake.com/advisories/subscribe)

## Frameworks (see manifest for attestation_level)

- SOC 2 Type II — 2017 TSC (rev. 2022)
- ISO/IEC 27001:2022
- GDPR (EU 2016/679) — 31 articles catalogued (25 applicable)
- UK GDPR + DPA 2018
- Swiss FADP (revFADP)
- CCPA / CPRA

## Contact

- security@sigmashake.com — [vulnerability report form](https://trust.sigmashake.com/vulnerability-report)
- Safe-harbor language applies to good-faith research under our disclosure policy.