Security

Citations.io operates a written information-security program aligned with the principles of ISO/IEC 27001 and the AICPA Trust Services Criteria. The program is owned by our engineering leadership, reviewed at least annually, and applied to all employees, contractors and sub-processors who access customer data.

• In transit: TLS 1.2 or higher for all connections to the Service. HSTS is enabled on the public website.
• At rest: AES-256 on managed database storage and object storage.
• Secrets: API keys and credentials are stored in a managed secrets store and rotated on a documented schedule.

• Role-based access control with least-privilege defaults.
• Multi-factor authentication enforced for all administrative access to production systems and source-code repositories.
• Production access is limited to a small group of engineers with a documented business need and is logged.
• SSO (Google) supported for customer accounts; SAML/SCIM available on Enterprise plans.

• Hosted on Cloudflare's edge network with DDoS protection and Web Application Firewall.
• Managed Postgres on Supabase (EU region) with automated backups and point-in-time recovery.
• Network segmentation between public, application and data tiers.
• Centralised logging and continuous monitoring for anomalous activity.

• All changes go through code review and automated testing before merge.
• Dependency scanning, static analysis and secret scanning run on every commit.
• Production deploys are auditable and reversible.
• Engineers receive annual secure-development and privacy training.

• Database backups are taken continuously and retained for at least 7 days; daily snapshots are retained for 30 days.
• Recovery procedures are tested annually with documented RTO and RPO objectives.
• Critical infrastructure is multi-region or multi-AZ for resilience.

We maintain a documented incident-response plan covering detection, containment, eradication, recovery and post-incident review. Affected customers are notified of confirmed personal data breaches without undue delay and within 72 hours, as required by our DPA.

Security researchers are invited to report suspected vulnerabilities to security@citations.io. Please follow the guidance in our Acceptable Use Policy - we will not pursue legal action against good-faith research that complies with that guidance, and we will credit researchers (with permission) once a fix is shipped.

Privacy laws

The Service is designed to support customer compliance with the UK GDPR, EU GDPR and California Consumer Privacy Act (as amended by the CPRA). See our Privacy Policy and DPA.

SOC 2 / ISO 27001

SOC 2 Type II is on our compliance roadmap. While we are not yet certified, the underlying controls described above are in place. Customers under NDA may request our current security questionnaire and architecture overview.

• Choose strong, unique passwords and enable MFA on your account.
• Manage your team's access promptly when people join or leave.
• Treat API keys and integration credentials as secrets.
• Report suspected account compromise to security@citations.io immediately.