us-east-1
·
local (no data egress)
·
sha256:7d…a81c
Preview · mock data

Trust center

Procurement-grade artifacts · signed · versioned · downloadable

Attestations & contracts

SOC 2 · Pen test · CAIQ · FedRAMP
ArtifactDateSourceFile
SOC 2 Type II reportperiod 2025-09 → 2026-03Coalfire
soc2-type-ii-2026h1.pdf
sha256:a2…91c
 Download
Pen-test letter2026-02-14Bishop Fox
pentest-2026q1.pdf
sha256:5f…b2d
 Download
CAIQ Lite (v5)submitted 2026-03-31Internal
caiq-lite-v5.pdf
sha256:8e…43a
 Download
FedRAMP moderate roadmapIn Process target 2026-Q4Internal · sponsor: DoE
fedramp-plan.pdf
sha256:3b…77e
 Download

Data Processing Addendum (DPA)

v3.2 · updated 2026-03-20 · inline for copy-paste

1. Processing scope. Unbound Security acts as Processor under GDPR Art. 28 for Customer Data including: device configuration state, finding metadata, scan manifests, waiver records, and user identifiers synced via SCIM. Prompt bodies are not processed by Unbound; classification is on-device.

2. Sub-processors. See the list below. Customer is notified 30 days before any sub-processor addition. Objection right per Art. 28(2).

3. International transfers. SCCs Module 2 where applicable. EU tenants may opt into eu-west-1 residency; data egress from region is prohibited by policy + technical controls (VPC egress rules).

4. Security measures. ISO 27001:2022 Annex A controls applied. Encryption at rest (AES-256, per-tenant KMS) and in transit (TLS 1.3, FIPS 140-3 validated). SOC 2 Type II report available above.

5. Retention & deletion. 13-month default; configurable 6–36 months. Hard-delete within 30 days of contract termination; certificate of destruction provided on request.

6. Breach notification. Customer notified within 72 hours of confirmed personal-data breach, per GDPR Art. 33.

Sub-processors

inline · updated 2026-04-10 · 30-day notice on changes
ProcessorPurposeRegionsDPA
Amazon Web ServicesHosting · KMS · S3us-east-1 · eu-west-1 · ap-south-1AWS GDPR DPA v3.2
AnthropicOpt-in enrichment · not required for core postureus-east-1ZDR addendum
StripeBillingus · euStripe DPA
VantaCompliance evidence aggregatorus-east-1Vanta DPA v2
CloudflareCDN · WAF · DDoS protectionglobalCloudflare DPA
SentryError aggregation · no prompt contentus-east-1Sentry DPA

Tenancy & data architecture

Tenancy
Logical isolation · per-tenant KMS (AWS KMS) · VPC per tenant in EU region
Data residency
us-east-1 (primary) · eu-west-1 (EU tenants) · ap-south-1 (India tenants)
Encryption
At rest: AES-256 via tenant KMS · In transit: TLS 1.3 only · FIPS 140-3 validated
Classifier
On-device · no prompt/evidence egress · model hash published per release
Retention
13 months default · configurable 6–36 months · WORM for signed evidence
Access control
SSO via Okta · SCIM provisioning · 4 RBAC roles · break-glass logged to audit

Classifier lineage

model cards · training cutoff · FP rate · adversarial eval
ModelTraining cutoffFP rate (%)Adversarial eval
classifier-ensemble-v32026-03-01
hook: ~8%
mcp: ~4%
other: ~2%
passed (n=3,420) Model card
unbound-supplychain-2026.042026-04-01
mcpPublisher: ~9%
in progress Model card
unbound-hook-2026.042026-04-01
rce: ~10%
passed (n=1,890) Model card

Trust changelog

append-only · hash-chained
  1. 2026-04-14SOC 2 Type II period extended → 2026-09sha256:1a…e4b
  2. 2026-04-10Sub-processor added: AWS eu-west-1 (EU residency launch)sha256:7c…29f
  3. 2026-02-14Bishop Fox pen-test letter issued · 0 criticalssha256:5f…b2d