Security is a foundational pillar of Share Of Model. The platform is designed, operated and continuously improved in alignment with SOC 2 security principles, industry best practices and customer expectations.
Continuous Security Testing
Share Of Model goes beyond standard compliance requirements by operating continuous security testing across its applications.
Application penetration tests are performed on an ongoing basis, exceeding the minimum annual SOC 2 requirement
Weekly penetration testing is conducted using Acunetix, including before major releases or production changes
The most recent penetration test was conducted in 2025
In parallel, automated vulnerability scanning is continuously enforced:
Acunetix for weekly dynamic scanning
Snyk and DeepSource for continuous code and dependency scanning
Vulnerabilities are identified proactively, including prior to production deployments
Secure Development Lifecycle
Security is embedded throughout the development process:
Development follows OWASP-aligned secure coding practices
Automated security reviews are integrated into CI pipelines
Manual peer code reviews are systematically performed
Bot protection mechanisms, including dynamic CAPTCHA enforcement, protect unauthenticated entry points
Strong Identity and Access Management
Access control is strictly enforced to ensure accountability and least privilege:
Federated authentication using OAuth 2.0 and Auth0
MFA enforced for privileged accounts, combining password and one-time verification codes
Named individual accounts only, no shared accounts
Privileged access reviews conducted at least every 3 months
Accounts are automatically deactivated after 3 months of inactivity
All account lifecycle events are logged and retained for auditability.
Secure Configuration and Infrastructure Protection
The platform is protected through layered security controls:
All access and administration performed over TLS 1.2 or TLS 1.3
Cloudflare Web Application Firewall protects against common web threats
APIs are secured through authentication, authorization and WAF-level protections
Development and production environments are strictly segregated, with no real personal data used outside production
Encryption and Data Protection
Data protection is enforced at all stages:
All data is encrypted in transit using TLS
Encryption at rest is implemented using Google Cloud native encryption mechanisms
AES-256 encryption with Google Cloud KMS, automated key rotation and audit logging
Logging, Monitoring and Auditability
Security events are continuously monitored:
Access to sensitive data is logged and monitored for abnormal patterns
Changes to personal data are fully traceable via centralized audit logs
Logs include timestamp, actor identity and action type
Logs are retained for at least 6 months, with secure deletion or anonymization thereafter
Centralized logging within Google Cloud, monitored via Google Cloud Security Command Center
Data Retention and Lifecycle Management
Share Of Model provides robust data governance controls:
Configurable data retention and deletion policies, aligned contractually with customer requirements
Automatic data deletion, including full deletion at contract termination
Support for read-only data archiving where applicable
Backup, Disaster Recovery and Business Continuity
Operational resilience is a core design principle.
Daily backups stored in EU data centers with ISO 27001 certified providers
Documented backup and restore procedures, tested annually
Last backup restoration test conducted in November 2025
A documented Disaster Recovery Plan is in place, supported by Google Cloud replication and redundancy. DRP tests include partial recovery and full failover simulations, with the most recent test conducted in August 2025.
Infrastructure Security Testing
Jellyfish continuously validates its security posture.
Weekly system and network vulnerability scans using Acunetix
External and internal penetration tests performed by VAADATA
Tests include source code analysis for deeper coverage
In summary, Share Of Model combines continuous security testing, strong identity controls, secure infrastructure, encrypted data handling and rigorous monitoring to deliver a platform that is secure by design, compliant by default and continuously improving.