Trust & Security

Security posture & certification roadmap

CHARIS is operated by Sicuro Group LLC. This page is an honest snapshot of our security posture and the formal certifications on our roadmap. We update it whenever something material changes.

ISO 22301:2019 — Business Continuity (product domain)

Aligned

CHARIS is purpose-built around the ISO 22301:2019 business continuity management lifecycle. Trigger taxonomy, posture model, re-entry decision flow and reporting all reference clauses 8.2–8.6 of the standard. This is the product alignment, not a corporate ISMS audit — see ISO 27001 below for that track.

SOC 2 Type I — Service Organization Controls

Roadmap · 2026

We are scoping a SOC 2 Type I attestation covering the Trust Services Criteria for Security, Availability and Confidentiality. Internal controls (least-privilege access, encrypted secrets, audit logging, change management) are already operational and documented; the formal third-party audit is planned for the H2 2026 window.

ISO/IEC 27001:2022 — Information Security Management

Roadmap · 2026–2027

ISO 27001 certification of the corporate ISMS that operates CHARIS is on the post-SOC 2 roadmap. Sicuro Group LLC's parent organisation already maintains an information-security policy framework aligned to ISO 27001 Annex A controls. Stage-1 readiness review planned for 2026.

Penetration testing & vulnerability management

Operational

Dependencies are continuously monitored for known CVEs. Application code and infrastructure are scanned on every release. Authenticated penetration tests by an external firm are scheduled annually; the most recent test scope and remediation status are available to enterprise customers under NDA.

Authentication & access control

Operational

All accounts support TOTP-based two-factor authentication. Admin accounts must enrol in 2FA. Session tokens are HttpOnly + Secure cookies, scoped to the application domain. Passwords are stored using a memory-hard hash (argon2-class). Role-based access separates client tenants from admin operators.

Data residency & encryption

Operational

All data is encrypted in transit (TLS 1.2+) and at rest. Customer assessment data is logically segregated per tenant. Personnel re-entry data is intentionally aggregate / anonymised — CHARIS does not require named individuals to deliver re-entry planning. Data export and account deletion are user-controlled.

Reporting a vulnerability

Please email risk@sicurogroup.com with details and steps to reproduce. We acknowledge reports within two business days. Coordinated disclosure is appreciated.

Sicuro Group LLC · risk@sicurogroup.com · +971 (4) 363 5392 · Dubai, UAE