Security Program
Protecting your data through industry-leading security practices and infrastructure.
Security is Our Foundation
As a next-generation defense contractor specializing in security solutions, we understand that protecting your data is not just a featureβit's fundamental to everything we do. Our security program is designed, implemented, and continuously improved by highly experienced security professionals with backgrounds in defense, government, and private industry.
Vulnerability Reporting
We welcome responsible disclosure of security vulnerabilities. If you discover a security issue in any S6 product or service, please report it to our security team.
Security Team:
For our complete vulnerability disclosure policy and coordinated disclosure timeline, see our Vulnerability Disclosure Policy.
Encryption Standards
Data in Transit
All data transmitted between clients and S6 infrastructure uses TLS 1.3 encryption with perfect forward secrecy. We maintain strict cipher suite requirements and disable legacy protocols.
Data at Rest
All customer data stored in our infrastructure is encrypted using AES-256 encryption. Encryption keys are managed through AWS KMS and Azure Key Vault with strict access controls and rotation policies.
Authentication & Access Control
Multi-Factor Authentication (MFA)
We support industry-standard MFA methods including:
- FIDO2/WebAuthn: Hardware security keys (YubiKey, Google Titan, Feitian)
- TOTP: Time-based one-time passwords (Google Authenticator, Authy)
- Biometric: Windows Hello, Touch ID, Face ID
- SMS/Email: Backup verification methods
β MFA is required for all administrative accounts and strongly recommended for all users.
Single Sign-On (SSO)
Enterprise customers can integrate with their identity provider using SAML 2.0. Tested integrations include:
- Okta
- Microsoft Azure AD / Entra ID
- Google Workspace
- Auth0
- Ping Identity
- Shibboleth
Password Security
User passwords are hashed using Argon2id, an industry-leading memory-hard hashing algorithm resistant to GPU/ASIC attacks. We enforce strong password requirements and integrate with Have I Been Pwned to prevent use of compromised credentials.
Infrastructure Security
Cloud Infrastructure
S6 services operate on enterprise-grade cloud infrastructure:
AWS
us-east-1, us-west-2, ap-southeast-2, eu-central-1
Azure
Australia East, West Europe
On-Premise
Available for Spectra deployments
Network Security
- DDoS protection through AWS Shield and Azure DDoS Protection
- Web Application Firewall (WAF) with OWASP Top 10 rule sets
- Network segmentation and zero-trust architecture
- Intrusion detection and prevention systems (IDS/IPS)
- Real-time security monitoring and alerting
Application Security
- Secure Software Development Lifecycle (SSDLC)
- Automated security testing in CI/CD pipelines
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Software Composition Analysis (SCA) for dependency vulnerabilities
- Regular penetration testing by independent third parties
Binary Verification & Code Signing
All S6 software releases are cryptographically signed to ensure authenticity and integrity:
- Windows Executables: Extended Validation (EV) Authenticode certificates plus embedded ED25519 signatures
- macOS Applications: Apple Developer ID certificates with notarization
- Linux Packages: GPG signatures for .deb and .rpm packages
- Container Images: Cosign signatures with transparency log integration
Verification instructions are provided with each software release.
Data Sovereignty & Localization
Your data, your infrastructure, your control. S6 products are designed with data sovereignty as a core principle:
On-Premise Deployment
S6 Spectra can be deployed entirely within your infrastructure. Your penetration testing data, findings, and configurations never leave your environment.
Regional Data Storage
For cloud services, we offer region-specific deployment options. Australian customers can choose Australia-only data residency. EU customers can choose EU-only storage.
Air-Gapped Options
For defense and government customers, we support fully air-gapped deployments with local LLM hosting and offline operation.
Compliance & Certifications
Current Compliance
- βAustralian Privacy Act 1988 - Full compliance with APPs
- βGDPR - EU General Data Protection Regulation
- βCCPA/CPRA - California Consumer Privacy Act
- βISO 27001 - Information Security Management (in progress)
Planned Certifications
- βSOC 2 Type II - Target: Q2 2026
- βFedRAMP - For US government customers
- βIRAP - Australian government assessment
- βCyber Essentials Plus - UK certification
Incident Response
S6 maintains a comprehensive incident response program designed, implemented, and managed by experienced security professionals:
- 24/7 Security Operations: Continuous monitoring and alerting
- Incident Response Plan: Documented procedures for detection, containment, and recovery
- Breach Notification: We comply with all applicable breach notification requirements (GDPR 72-hour, CCPA timelines)
- Forensic Capabilities: In-house digital forensics expertise for investigation
- Post-Incident Reviews: Lessons learned and continuous improvement
Employee Security & Training
- Background Checks: All employees undergo background verification appropriate to their role
- Security Clearances: Team members hold various security clearances for government work
- Security Training: Mandatory annual security awareness training and phishing simulations
- Least Privilege: Role-based access control with regular access reviews
- Confidentiality Agreements: All personnel sign comprehensive NDAs and confidentiality agreements
Additional Security Resources
Vulnerability Disclosure Policy β
Coordinated disclosure process and security researcher guidelines
Data Processing Agreement β
GDPR-compliant data processing terms and security commitments
Privacy Policy β
How we collect, use, and protect your personal information
Contact Security Team β
Report vulnerabilities or security concerns