Security at DepChain

Infrastructure

DepChain runs on Microsoft Azure infrastructure located in the East US region. No customer data is stored or processed outside the United States. Our production environment is fully managed within Azure's U.S.-based data centers.

Encryption

All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256 across all storage layers, including our PostgreSQL database and any temporary processing storage.

Data Isolation

Each customer's BOM data is logically isolated within our platform. We do not commingle customer data. Access controls ensure that your supply chain information is only visible to authorized users within your organization.

AI & Data Usage

BOM data is processed using Azure OpenAI for compliance analysis, including screening against federal restriction lists and generating risk assessments. Your data is never used to train AI models. Azure OpenAI does not retain customer data after processing.

Data Classification

DepChain currently supports unclassified, publicly available supply chain data only. Do not upload ITAR-controlled technical data, Controlled Unclassified Information (CUI), or classified information to the platform.

Files containing sensitive classification markers (e.g., ITAR, CUI, NOFORN) are automatically rejected at upload. All uploads require an explicit data classification acknowledgment before processing.

Every compliance check, BOM upload, analysis, and export is recorded in an immutable audit log with timestamps, user identity, and IP address. Users can view their own audit trail via the platform API.

Compliance Roadmap

SOC 2 Type II and CMMC Level 2 certifications are on our roadmap. We are building toward FedRAMP authorization to serve federal customers directly. Our platform architecture has been designed from the ground up with these certifications in mind.

Access Control

All platform access is governed by role-based access controls. Internal access to production systems is restricted to authorized personnel, and all access events are logged and auditable.

Vulnerability Management

We perform regular dependency scanning and apply security updates on an ongoing basis. Our CI/CD pipeline includes automated checks to identify and remediate known vulnerabilities before they reach production.

Detailed Documentation

We provide detailed security documentation, architecture diagrams, and our security questionnaire responses under NDA for design partners and prospective customers.

Contact

For security inquiries or to request documentation under NDA, contact [email protected].