Built for the regulated perimeter
SOC 2 Type II (continuous), ISO 27001:2022, ISO 27017, ISO 27018 certified. Data residency in Singapore (MAS Notice 644), EU (GDPR Art. 44–50), and UAE (CBUAE PRC 2018). AES-256-GCM at rest, TLS 1.3 in transit.
SOC 2 Type II (continuous), ISO 27001:2022, ISO 27017, ISO 27018 certified. Data residency in Singapore (MAS Notice 644), EU (GDPR Art. 44–50), and UAE (CBUAE PRC 2018). AES-256-GCM at rest, TLS 1.3 in transit.
Every control below maps to NIST CSF 2.0, CIS Controls v8, or OWASP ASVS Level 2. Available to procurement teams under NDA.
TLS 1.3 in transit, AES-256-GCM at rest. Customer-managed keys via HSM-backed CMK (FIPS 140-2 Level 3). No plaintext key material leaves the HSM.
SAML 2.0 + SCIM provisioning, per-role RBAC, MFA enforced. Every privileged admin action is logged with actor, timestamp, and diff — exportable for regulator review.
Every customer and admin action writes to a WORM-locked, indexed ledger. Seven-year retention baseline meets MAS TRM, MiFID II, and BSA recordkeeping obligations.
Multi-region active-passive deployment with hot standby. Signed policy fallbacks maintain screening decisions during partial outages — no gap in regulatory coverage.
Continuous SAST, DAST, and SCA pipelines plus quarterly penetration tests by an independent firm. Vulnerability disclosure policy published at width.com/security.
Every AI model version is cryptographically signed. Drift monitoring alerts on statistical deviation; rollback to any prior signed version executes in under 5 minutes.
SOC 2 Type II report, ISO 27001:2022 certificate, pentest executive summary, and DPA — available under NDA to qualifying procurement teams.