Trust CentreSecurity & Data Protection

Security & data protection

This page describes how SIFTR protects uploaded information and applies security controls across the data lifecycle.

SIFTR is designed to support internal assurance activity and handles potentially sensitive organisational documentation. Security and data protection are therefore treated as core design requirements.

Security principles

SIFTR follows a small set of practical security principles:

  • Data minimisation — only information required for CAF evidence mapping is processed
  • Purpose limitation — documents are analysed only for the user-selected assessment
  • Least privilege — access to systems and data is restricted to what is necessary
  • Transparency — security behaviour is documented and reviewable
  • Defensive defaults — conservative choices are preferred over convenience

Hosting and infrastructure

SIFTR is hosted in Amazon Web Services (AWS).

Infrastructure is deployed within UK or EU regions, depending on configuration and availability.

The platform uses managed cloud services to support:

  • Network isolation
  • Secure service-to-service communication
  • Infrastructure-level monitoring and logging

No customer data is used to train AI models.

Data types processed

Depending on use, SIFTR may process:

  • Organisational governance and assurance documents (PDF)
  • Derived analytical outputs (evidence quotes, classifications, rationales)
  • System metadata (timestamps, document identifiers, assessment scope)

SIFTR is not designed to process large volumes of personal data. Where personal or identifying information is present in uploaded documents, it is handled in line with data minimisation principles.

Encryption

Data in transit

  • Data is transmitted over encrypted connections (HTTPS/TLS)

Data at rest

  • Uploaded documents and derived outputs are stored using cloud-native encryption mechanisms provided by AWS

Access control

Access to SIFTR systems is restricted using role-based controls.

  • Only authorised users can upload or review documents
  • Administrative access is limited and logged
  • Direct access to production systems is restricted

There is no routine manual inspection of customer documents.

Document handling and retention

Uploaded documents are:

  • Stored only for the duration required to support the assessment and review process
  • Used solely for the specific CAF mapping activity selected by the user

Retention periods may be adjusted as the platform evolves. Where documents are deleted, associated derived data is removed in line with platform behaviour.

SIFTR does not reuse uploaded documents across customers or assessments.

Logging and monitoring

SIFTR records operational events to support:

  • Troubleshooting
  • Auditability of assessments
  • Detection of abnormal behaviour

Logged information may include:

  • Document ingestion events
  • Assessment execution
  • Errors or processing failures
  • Timestamps and identifiers

Logs are used for operational and security purposes only.

AI interaction security

SIFTR’s analysis pipeline is designed to reduce the risk of unintended AI behaviour.

Controls include:

  • Sanitisation of inputs before analysis
  • Strict quote-only output rules
  • Separation between document preparation and evidence mapping stages
  • Explicit constraints to prevent inference or content generation

AI outputs are treated as analytical results, not authoritative decisions.

Customer responsibilities

Customers are responsible for:

  • Selecting appropriate documents for upload
  • Avoiding inclusion of unnecessary personal data
  • Reviewing outputs before using them in assurance or reporting contexts
  • Applying their own governance and approval processes

Security review and improvement

SIFTR’s security approach is reviewed as the platform evolves.

As the product matures, additional measures may be introduced, including:

  • Expanded monitoring
  • Independent security testing
  • Formalised security documentation

Any such changes will be reflected in this Trust Centre.

Contact

For security-related questions or disclosures, please contact: security@siftr.so

For general trust and documentation enquiries: trust@siftr.so

Last updated: January 2026

How SIFTR WorksAuditability & Traceability
© 2026 SIFTR PBC. All rights reserved.