Security at Tirion

We handle sensitive intelligence data. Security is the foundation everything else is built on. Each item below shows exactly where we are — implemented, actively building, or on the roadmap.

Encryption everywhere ✓ Active
TLS 1.3 for all data in transit. AES-256 for all data at rest. Encrypted from ingestion to display.
Access controls ✓ Active
Auth0-backed authentication with role-based access control (RBAC). MFA available for all accounts, required for admins.
Threat detection ◐ In progress
DDoS protection via Cloudflare is active. AWS GuardDuty and CloudWatch continuous monitoring are actively being configured and validated.
Audit logging ◐ In progress
Access logging infrastructure is actively being built. We are completing coverage across all sensitive data paths and building the immutable log store before marking this fully active.
Network isolation ○ Planned
Moving databases into AWS private subnets with no direct public internet access is in architecture planning. Currently in our deployment roadmap for this year.
Data separation ○ Planned
Customer account data and intelligence data will be isolated in separate databases with independent access controls. The separation is designed into the schema; deploying it as distinct infrastructure is on our roadmap.

Compliance & certifications

SOC
SOC 2 Type II ○ Planned
On roadmap
SOC 2 Type II is on our roadmap. We are designing systems around the five trust service criteria and will begin the formal audit process when our infrastructure reaches production scale.
VSA
Vendor Security Alliance
In progress
Completing the VSA questionnaire. Contact us for current security documentation.
TLS
Encryption standards ✓ Active
Active
TLS 1.3 for all connections. AES-256 at rest. AWS KMS for key management. HSTS enforced.

Infrastructure security

Cloud infrastructure ✓ Active
Runs on Amazon Web Services (AWS) with SOC 1/2/3, ISO 27001, and FedRAMP certifications. HIPAA-eligible and PCI DSS compliant services.
DDoS protection ✓ Active
Cloudflare sits in front of all public traffic, providing DDoS mitigation, WAF on all public endpoints, and HSTS enforcement.
Incident response ◐ In progress
We have internal procedures for handling incidents and are formalizing them into a documented plan — including escalation paths, SLAs, and customer notification workflows. Our target: critical incidents acknowledged within 15 minutes.
72-hour breach notification ○ Planned
Formal breach notification procedures — including customer notification within 72 hours — are being documented as part of our incident response plan. This commitment will be contractually formalized at general availability.
Vulnerability management ◐ In progress
Automated dependency monitoring is active. Scheduled vulnerability scanning is being configured. We run aggressive patch management and take all reports seriously. If you discover a security vulnerability, please contact security@tiriondata.com.
Daily automated backups ✓ Active
Daily automated backups with point-in-time recovery are running. RTO: 4 hours. RPO: 1 hour.
Encrypted backups in a separate region ○ Planned
Cross-region encrypted backup replication is on our roadmap. Current backups are encrypted and automated; geographic redundancy to a separate AWS region is a near-term infrastructure milestone.

Data sourcing & subject rights

All data is public record ✓ Active
Tirion aggregates data exclusively from publicly available government sources: county assessor records, SEC EDGAR filings, FEC campaign contributions, and IRS Form 990 filings. We do not purchase data from brokers, scrape behind authentication walls, or use any proprietary or non-public sources. Every data point in the platform traces to an official public record.
Individuals in our database
Our platform aggregates publicly available government records to build research profiles. If you are an individual who appears in our database and wish to inquire about the information we hold, request corrections, or ask about suppression, please contact privacy@tiriondata.com. We respond to all inquiries and take data accuracy seriously.
Suppression requests
We honor suppression requests from individuals who wish to be excluded from our research database. Suppressed records are flagged and excluded from search results and profile displays. We maintain a suppression registry to ensure removed records are not re-added during subsequent data refreshes.

Our security journey

We believe in transparency. The status badges above show exactly where we are on each security measure. "Active" means fully implemented and verified. "In progress" means we are actively building it. "Planned" means it is on our roadmap with a defined direction.

We are a startup building in the open. Our infrastructure is evolving from a focused development environment to production-grade cloud deployment. We chose to show you where we actually are rather than where we hope to be — because the organizations trusting us with their donor intelligence deserve an accurate picture.

If a specific control matters to your organization's vendor review process, contact us. We are happy to discuss timelines, share documentation, or work through your security questionnaire directly.

Last updated: March 2026 · Questions? security@tiriondata.com

Have security questions?

We are happy to discuss our security practices, provide documentation, or complete your organization's security questionnaire.

Contact security team Report a vulnerability