Defence-in-depth for your sales motion.
From the application core to the audit log, security is not a feature — it's the foundation. Encryption, role-based access, comprehensive logging, and a secure SDLC.
What we do, by layer.
Five disciplines, applied every day, audited every quarter.
Encryption
- TLS 1.3 in transit, HSTS preload
- AES-256 at rest on database and backups
- Encrypted column-level fields for sensitive data
Access control
- Role-based access control (RBAC) with hierarchies
- Optional 2FA TOTP for all users
- SSO SAML / SCIM on Enterprise tier
- Tenant-level isolation via row-level security (PostgreSQL RLS)
Audit & logging
- Every write operation logged to an immutable audit table
- Per-tenant access history exportable as CSV
- Sentry for application-level errors (EU region)
Secure SDLC
- Mandatory code review on every change
- TDD on critical business logic with measured coverage
- Dependabot + automated SCA on every dependency
- Annual penetration test (planned 2027)
Incident response
- On-call rotation, 24/7 for Enterprise
- RTO 4h / RPO 1h for tenants on Business+
- Customer notification within 24 hours of confirmed incident
Our commitments
Transparency over secrecy
We disclose sub-processors, post status reports publicly, and publish incident post-mortems for Enterprise customers.
Least privilege, by default
No engineer has standing access to customer data. Production access requires JIT elevation, logged and reviewed.
No backdoors, ever
We do not honour requests to weaken cryptography, install lawful intercept, or bypass tenant isolation. We will publish a warrant canary.
Found a vulnerability?
Email security@continuum-business.com — we respond within 24 hours and credit researchers in our hall of fame.
security@continuum-business.comSecurity questionnaire?
Enterprise customers receive a CAIQ-formatted questionnaire and pen-test summary on request.