Information Security Program
Sentra maintains an internal Information Security Program (ISP) that addresses both our products and our general business practices. The ISP ensures a secure environment for our employees, customers, systems, and the data we manage.
Our ISP is designed to implement appropriate technical and organizational security measures covering our product environments and related company systems, and covers key areas including access controls, employee training, physical security, network and cloud security, encryption, credential and key management, and software development life cycle policies and practices including security by design.
Additional information is available at https://trust.sentra.io/
SOC 2 Compliance
As part of our commitment to safeguard customer data and maintain excellence in security controls and operations, Sentra submits our platform for an annual SOC 2 Type 2 audit to ensure the appropriate safeguards are applied to customer data and evaluate how well those controls are operating. Sentra’s SOC 2 Type 2 report is available upon request and under a non-disclosure agreement. The SOC 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) existing Trust Services Criteria (TSC).
ISO 27001 Certification
The Standards Institution of Israel certifies that Sentra operates an Information Security Management System (ISMS) that conforms to the requirements of ISO/IEC 27001:2022.
Certificate Issuance date May 12, 2025
Expiration date May 15, 2028
Platform Architecture
Sentra provides a cloud-native Data Security Platform (DSP) that delivers highly scalable and highly available services, with security built in as a first principle. The service is designed to limit the information processed outside of a customer’s cloud environment. Sentra’s scanning infrastructure operates within an isolated virtual network, where scanners are typically deployed within the customer cloud environment. The scanners have read-only permissions to the customer’s environment, ensuring that Sentra does not create or delete anything outside the isolated virtual network.
Customer data never crosses regions; all data analysis occurs in the same region where the data was originally discovered. Sentra connects to customer environments using cloud-native APIs, which means that no agents are deployed. Sentra provides a flexible architecture that gives customers complete control over where scanning takes place. Scanning can be performed in either a Sentra-owned scanner, offering a straightforward installation and maintenance, or in a customer-owned scanner account, ensuring a highly secure scanning process. In the latter option, no data leaves the customer’s environment, and all scanning is conducted entirely within the customer’s infrastructure.
Data is encrypted across the Sentra platform at all times, both at rest and in transit. All communication is encrypted using TLS 1.2 or higher. All data managed by the platform is encrypted at the database or volume level using AES-256 encryption. Sentra’s architecture, engineering, product, and operations teams are experienced cyber security experts from both the public and defense sectors. Each team follows strict, secure software development lifecycle (SSDLC) procedures and best practices. All platform code is peer reviewed and passes SAST and SCA scans; SAST scans the application code to discover faulty code posing a security threat, while SCA scans ensure application code is free of vulnerabilities and license violations in open-source dependencies.
Additionally, we conduct annual 3rd party penetration test exercises on our application. Any high criticality findings are triaged and fixed immediately.
A full platform security architecture document, that includes the information from this trust center, along with backend security,
access control mechanisms and more, is available upon request.