Move supplier assurance off spreadsheets. Private pilot opening soon.→ Join the pilot
SHARDSCybersecurityDriving Security Forward
Trust & security

Trust at Shards.

Cybersecurity software has to be cybersecurity-clean itself. The product we sell is supplier assurance — discipline about how suppliers are treated, how evidence is handled, how decisions are signed. That same discipline runs through how we build, host, and operate.

This page explains where your data lives, how it's isolated from other customers, how we use AI, who our sub-processors are, and where we stand on third-party assurance.

Where your data lives

EU-only. Microsoft Azure, North Europe (Ireland) and West Europe (Netherlands) regions. No customer data leaves the EU under any default configuration.

For buyers with stricter requirements, single-tenant deployments are available in the same regions on request. The deployment model doesn't change the EU-only commitment.

Tenant isolation

Every customer's data is partitioned by BuyerOrgId. The application layer enforces tenant boundaries on every read and write — clients never decide tenant context on writes; the server resolves it from authenticated identity. Row-level security in the database is enabled as a defence-in-depth backstop.

In practice, this means Customer A's evidence, decisions, and sub-processor lists cannot be queried, exported, or accidentally surfaced to Customer B. The architecture makes cross-tenant leakage a structural impossibility, not a control we trust to behave.

How evidence is handled

  • Short-lived SAS tokens. Evidence files are accessed via signed URLs that expire within minutes. No permanent file links.
  • Immutable by path. Once an evidence file is uploaded, the path it lives at never changes. Replacements get new paths and new hashes.
  • Hash-anchored. Every evidence artefact carries a SHA-256 hash that travels with it through every reuse, decision, and export.
  • Malware scanning. Every upload is scanned before it's accessible to reviewers.
  • Append-only audit log. Every action — uploads, reviews, decisions, exports, exceptions — emits an audit event that cannot be modified after the fact.

How AI is used (and not used)

AI in the product is assist-only and citation-bound:

  • Hosted in the EU. Azure OpenAI, EU region. Customer evidence never crosses tenant boundaries or third-party model providers.
  • Retrieval-grounded. AI suggestions are grounded in your evidence, with mandatory citations to specific source artefacts. No citation, no claim.
  • Human-approved. AI never approves a supplier, closes a review, or modifies decision state automatically. Every AI suggestion is a draft for a human to accept, modify, or reject.
  • Auditable. Every AI interaction emits an audit event with model version, evidence set, and timestamp.

We don't train models on customer data. We don't share evidence with third-party AI services. We don't auto-approve.

Sub-processors

Our current sub-processor list:

  • Microsoft Azure (EU regions only) — hosting, database, blob storage, AI inference via Azure OpenAI
  • Resend (EU region) — transactional email delivery

The sub-processor list is updated whenever a sub-processor is added or removed. Customers are notified in advance of additions, with the right to object.

Compliance posture

We're working toward:

  • SOC 2 Type I — readiness work in progress, target completion within 12 months
  • ISO 27001 — preparation in progress, certification target within 18 months

We don't claim certifications we don't have. When the audits land, this page will say so. We'd rather be honest about being early than overclaim.

In the meantime, we're transparent about the technical and organisational measures already in place — see this page and our DPA template for the full picture.

Vulnerability disclosure

If you've found a security issue, please email security@shardscybersecurity.io. We respond within one business day.

See our security.txt for the canonical disclosure address.

Status

A real-time public status page is on the roadmap. Until then, incident updates go to affected customers by email; if you suspect an outage, write to security@shardscybersecurity.io.

Data Processing Agreement

A standard GDPR Article 28-compliant DPA is available — see our DPA template page for what it covers and how to get a copy.

Still have questions?

Walk through the architecture with the founder.

If you have a security or trust question that isn't answered here, book a call. Happy to walk through the architecture, our roadmap, or anything in between.

Book a call →