Trust Center
How we protect your mission data — infrastructure, access controls, compliance, and responsible disclosure.
Enterprise-grade protection
Encryption
All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Database connections use SSL. Backups are encrypted.
Web Application Firewall
Built-in WAF with mission-specific rules: blocks parameter tampering, capability injection, AJAX abuse, and malformed API payloads.
Authentication
Secure password hashing (bcrypt), optional TOTP two-factor authentication, SSO via Google and Microsoft, and session management.
Access Controls
12 mission-level roles with a granular capability matrix. Portal-level RBAC ensures users only see and edit data they are authorized for.
Audit Logging
Immutable event log for all user and mission actions. Filterable by event type, user, mission, and organization. CSV export for compliance.
Credential Scanning
Passwords are checked against the Have I Been Pwned database using k-anonymity. Weekly automated scans plus on-login checks.
Standards we follow
SOC 2 Type II
Controls aligned with SOC 2 Trust Services Criteria for security, availability, and confidentiality.
GDPR
Full data export, right to deletion, data processing agreements, and EU-compatible data handling practices.
ITAR Awareness
Platform supports classification tagging and access controls for ITAR-sensitive mission data. Customers are responsible for ITAR compliance.
NIST 800-171
Security controls mapped to NIST 800-171 requirements for protecting Controlled Unclassified Information (CUI).
How we handle your data
Data Ownership
You retain full ownership of all mission data you create or upload. We never access, sell, or share your engineering data.
Data Isolation
Mission data is isolated per organization. Row-level security policies ensure users can only access data belonging to their team.
Data Export
Export all mission data at any time in structured JSON or PDF format. Enterprise plans include full GDPR data exports.
Data Deletion
When you delete your account, all personal data is removed within 30 days. Mission data can be exported before deletion.
Backup & Recovery
Automated daily backups with point-in-time recovery. Backups are encrypted and stored in geographically separate regions.
Data Classification
Tag mission parameters and documents with classification levels (Unclassified, CUI, ITAR, EAR) for access control enforcement.
Where your data lives
ITAR & CUI Support
Mission engineering teams frequently handle International Traffic in Arms Regulations (ITAR) and Controlled Unclassified Information (CUI) data. SMAD Portal provides the infrastructure and access controls these programs require. The customer is ultimately responsible for ITAR compliance within their organization.
US-Only Hosting
Cloud deployment runs exclusively on US-based infrastructure. Self-hosted deployment runs entirely on your own servers with no external network calls.
Classification Tagging
Tag requirements, documents, and mission parameters with classification levels: Unclassified, CUI, ITAR, and EAR. Tags enforce access control policies automatically.
Foreign Person Access Control
Mission-level role assignments allow you to restrict access to US Persons only. Administrators control who can view or edit ITAR-marked data.
Audit Trail for Compliance
Every access, edit, and export is logged with timestamp, user identity, and IP address. Export audit logs in CSV for compliance reviews and investigations.
Controlled Export
PDF and CSV exports include classification markings and handling caveats. Export actions are logged and can be restricted by role.
CUI Marking Support
Apply CUI category markings (CUI//SP-EXPT, CUI//SP-CTI, etc.) to mission data. Markings flow through to all generated deliverables and exports.
Air-Gap Architecture
For programs that require complete network isolation, SMAD Portal supports a fully self-hosted deployment with zero external dependencies. No CDN calls, no analytics beacons, no third-party fonts. The entire application runs on your infrastructure.
Zero External Calls
No analytics, no CDN fonts, no telemetry, no license phone-home. The application operates identically whether connected to the internet or completely isolated.
Docker Compose Deployment
Deploy the entire stack with a single docker compose command. Pre-built images include all dependencies. Air-gap installations receive updates via signed archive files transferred through approved media.
Local Authentication
Self-hosted Supabase Auth handles all authentication locally. No dependency on external identity providers. Optional SSO integration for environments that maintain an internal IdP.
Offline Engineering Calculators
All 50+ engineering calculators run client-side with no server round-trips. Orbit analysis, link budgets, and mass calculations work identically in air-gapped environments.
Responsible Disclosure
If you discover a security vulnerability in SMAD Portal, please report it responsibly. We appreciate your help keeping our users safe.
Please do not publicly disclose the issue until we have had a reasonable opportunity to address it. We aim to acknowledge reports within 48 hours and provide a resolution timeline within 5 business days.
Need a security review?
We are happy to walk through our security posture with your ISSM, ISSO, or compliance team. No sales pitch required.