Security Program
How S6 approaches data protection, access control, infrastructure security, and incident response.
Security Program Overview
S6 handles security-sensitive workflows, so the program is built around clear controls: strong identity, encryption, scoped access, monitored infrastructure, documented incident response, and deployment options for customers who need local control of data.
Vulnerability Reporting
We welcome responsible disclosure of security vulnerabilities. If you discover a security issue in any S6 product or service, please report it to our security team.
Security Team:
For the vulnerability reporting process and coordinated disclosure timeline, see our Vulnerability Disclosure Policy.
Encryption Standards
Data in Transit
All data transmitted between clients and S6 infrastructure uses TLS 1.3 encryption with perfect forward secrecy. We maintain strict cipher suite requirements and disable legacy protocols.
Data at Rest
All customer data stored in our infrastructure is encrypted using AES-256 encryption. Encryption keys are managed through AWS KMS and Azure Key Vault with strict access controls and rotation policies.
Authentication & Access Control
Multi-Factor Authentication (MFA)
We support industry-standard MFA methods including:
- FIDO2/WebAuthn: Hardware security keys (YubiKey, Google Titan, Feitian)
- TOTP: Time-based one-time passwords (Google Authenticator, Authy)
- Biometric: Windows Hello, Touch ID, Face ID
- SMS/Email: Backup verification methods
✓ MFA is required for all administrative accounts and strongly recommended for all users.
Single Sign-On (SSO)
Enterprise customers can integrate with their identity provider using SAML 2.0. Tested integrations include:
- Okta
- Microsoft Azure AD / Entra ID
- Google Workspace
- Auth0
- Ping Identity
- Shibboleth
Password Security
User passwords are hashed using Argon2id, a memory-hard hashing algorithm resistant to GPU/ASIC attacks. We enforce strong password requirements and integrate with Have I Been Pwned to prevent use of compromised credentials.
Infrastructure Security
Cloud Infrastructure
S6 services operate on managed cloud infrastructure:
AWS
us-east-1, us-west-2, ap-southeast-2, eu-central-1
Azure
Australia East, West Europe
On-Premise
Available for Spectra deployments
Network Security
- DDoS protection through AWS Shield and Azure DDoS Protection
- Web Application Firewall (WAF) with OWASP Top 10 rule sets
- Network segmentation and zero-trust architecture
- Intrusion detection and prevention systems (IDS/IPS)
- Real-time security monitoring and alerting
Application Security
- Secure Software Development Lifecycle (SSDLC)
- Automated security testing in CI/CD pipelines
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Software Composition Analysis (SCA) for dependency vulnerabilities
- Regular penetration testing by independent third parties
Binary Verification & Code Signing
All S6 software releases are cryptographically signed to ensure authenticity and integrity:
- Windows Executables: Extended Validation (EV) Authenticode certificates plus embedded ED25519 signatures
- macOS Applications: Apple Developer ID certificates with notarization
- Linux Packages: GPG signatures for .deb and .rpm packages
- Container Images: Cosign signatures with transparency log integration
Verification instructions are provided with each software release.
Data Sovereignty & Localization
Your data, your infrastructure, your control. S6 products are designed with data sovereignty as a core principle:
On-Premise Deployment
S6 Spectra can be deployed entirely within your infrastructure. Your penetration testing data, findings, and configurations never leave your environment.
Regional Data Storage
For cloud services, we offer region-specific deployment options. Australian customers can choose Australia-only data residency. EU customers can choose EU-only storage.
Air-Gapped Options
For defense and government customers, we support fully air-gapped deployments with local LLM hosting and offline operation.
Compliance & Certifications
Current Compliance
- ✓Australian Privacy Act 1988 - APP-aligned privacy controls
- ✓GDPR - EU General Data Protection Regulation
- ✓CCPA/CPRA - California Consumer Privacy Act
- ✓ISO 27001 - Information Security Management (in progress)
Planned Certifications
- →SOC 2 Type II - Target: Q2 2026
- →FedRAMP - For US government customers
- →IRAP - Australian government assessment
- →Cyber Essentials Plus - UK certification
Incident Response
S6 maintains a documented incident response program with clear owners, escalation paths, and review steps:
- 24/7 Security Operations: Continuous monitoring and alerting
- Incident Response Plan: Documented procedures for detection, containment, and recovery
- Breach Notification: We comply with all applicable breach notification requirements (GDPR 72-hour, CCPA timelines)
- Forensic Capabilities: In-house digital forensics expertise for investigation
- Post-Incident Reviews: Lessons learned and continuous improvement
Employee Security & Training
- Background Checks: All employees undergo background verification appropriate to their role
- Security Clearances: Team members hold various security clearances for government work
- Security Training: Mandatory annual security awareness training and phishing simulations
- Least Privilege: Role-based access control with regular access reviews
- Confidentiality Agreements: Personnel with access to sensitive information sign confidentiality agreements
Additional Security Resources
Vulnerability Disclosure Policy →
Coordinated disclosure process and security researcher rules
Data Processing Agreement →
GDPR-compliant data processing terms and security commitments
Privacy Policy →
How we collect, use, and protect your personal information
Contact Security Team →
Report vulnerabilities or security concerns