Company / Security

Security Policy

Security is foundational to everything we build. SigDrive is architected for the most demanding classified environments in the world.

View our security.txt file

Our Security Commitment

Scope

This security policy applies to all SigDrive products, services, and infrastructure including the SigDrive Enterprise RF Data Lake platform, associated APIs, documentation portals, and corporate systems. This policy outlines our security practices, vulnerability disclosure program, and our commitments to customers.

Data Protection

  • Encryption at Rest: All stored data is encrypted using AES-256 encryption with customer-managed keys where required.
  • Encryption in Transit: All network communications use TLS 1.3 minimum with strong cipher suites.
  • Data Integrity: SHA-256 checksums validate file integrity from ingestion through access with automatic tampering detection.
  • Data Sovereignty: On-premises deployment ensures government maintains full ownership and control of all data.

Access Control

  • Role-Based Access Control (RBAC): Granular permissions controlling view, upload, annotate, and administrative capabilities.
  • Enterprise SSO: Integration with SAML 2.0, LDAP, and Active Directory for centralized identity management.
  • Multi-Factor Authentication: Support for hardware tokens, CAC/PIV cards, and TOTP authenticators.
  • Audit Logging: Immutable, tamper-evident logs of all user actions with timestamps and attribution.

Infrastructure Security

  • Air-Gap Architecture: No internet dependencies, phone-home licensing, or cloud requirements. Designed for disconnected networks.
  • Containerized Deployment: Kubernetes-based architecture with hardened container images scanned for vulnerabilities.
  • Network Segmentation: Micro-segmentation between services with least-privilege network policies.

Security Architecture Overview

Air-Gap Architecture

SigDrive is designed from the ground up for disconnected networks. No internet dependencies, no phone-home licensing, no cloud requirements.

RBAC & Authentication

Granular Role-Based Access Control with support for enterprise identity providers. Control who can view, upload, annotate, or administer.

Immutable Audit Logs

Every action is logged with timestamps and user attribution. Meet compliance requirements with comprehensive, tamper-evident audit trails.

On-Premises Deployment

Deploy entirely within your infrastructure. Government maintains full ownership and control of all data. Not vendors, not cloud providers.

Data Integrity

SHA-256 checksums validate file integrity from ingestion through access. Automatic detection of tampering or corruption.

Vulnerability Management

Regular security assessments and penetration testing. Responsible disclosure program for security researchers.

Compliance & Standards

SigDrive is designed to meet the security requirements of defense and government customers.

NIST 800-53
Security controls framework alignment
SIPRNet Ready
Secret-level network deployment
JWICS Ready
Top Secret network deployment
MOSA Compliant
Modular Open Systems Approach
FedRAMP Aligned
Federal security baseline
CMMC Aware
Cybersecurity Maturity Model

Vulnerability Disclosure Program

How to Report

Send vulnerability reports to security@sigdrive.com. Please include:

  • • Description of the vulnerability
  • • Steps to reproduce the issue
  • • Potential impact assessment
  • • Any proof-of-concept code (if applicable)
  • • Your contact information for follow-up

Our Response Timeline

  • 24 hoursInitial acknowledgment of your report
  • 72 hoursPreliminary assessment and severity classification
  • 7 daysDetailed response with remediation plan
  • 90 daysTarget resolution for most vulnerabilities

Safe Harbor

SigDrive considers security research conducted in accordance with this policy to be authorized, lawful, and helpful to the security of our platform. We will not pursue legal action against researchers who act in good faith, report vulnerabilities responsibly, avoid accessing or modifying customer data, and do not disrupt our services. We ask that you give us reasonable time to address vulnerabilities before public disclosure.

Out of Scope

The following are not eligible for our vulnerability disclosure program:

  • • Denial of Service (DoS) attacks
  • • Social engineering attacks
  • • Physical security issues
  • • Issues in third-party services
  • • Spam or phishing attempts
  • • Clickjacking on static pages

Questions About Security?

Our team is available to discuss security requirements, provide additional documentation, or schedule a security review.

Contact Security TeamView security.txt