Trust

Schift Trust Center

Last updated: 2026-04-19

Schift is RAG infrastructure built for regulated teams. This page lists our current security posture, ongoing certification work, and documents we can share under NDA.

1. Security posture

What every Schift customer gets by default.

BYOK

Bring your own LLM + embedding keys. No lock-in.

Tenant isolation

Every query is org-scoped at storage, engine, and compute layers.

Audit logs

Immutable, tamper-evident, CSV exportable. CSAP-grade.

Encryption

TLS 1.2/1.3 in transit. AES-256 at rest on R2. PBKDF2 260K for passwords.

2. Certifications & attestations

We publish status honestly. No certificate is claimed that we don't hold.

In Progress

SOC 2 Type II

Observation window targeted 2026-Q4. Type II report expected 2027-Q2.

Request report →

Targeted

ISO/IEC 27001:2022

Statement of Applicability drafted (A.5–A.8). Readiness engagement starting 2026-Q3.

Request report →

In Progress

CSAP (SaaS)

Remediation roadmap active. Application planned 2026-Q4, certification 2027.

Request report →

3. Compliance features

Available on Team, Business, and Enterprise tiers. See pricing for matrix.

PII redaction

Korean + international patterns, inbound at ingest

DLP outbound

Response-time masking on LLM streams

SSO / SAML

OIDC (Okta, Azure AD, Google) and SAML 2.0

SCIM 2.0

Automated user/group provisioning and deprovisioning

IP allowlist

Org-level CIDR enforcement, IPv4/IPv6

CMEK

Customer-managed keys via GCP KMS

SIEM export

Splunk HEC, Datadog, webhook, S3 sinks

Retention policy

Per-org TTL for docs, chats, audit logs

Audit logs

Immutable, CSV export, tamper-evident

BYOK

Bring your own LLM / embedding keys

Tenant isolation

Org-scoped storage, engine, and compute

LLM safety

Prompt injection + response guardrails

Approval workflow

Two-person review for sensitive actions

4. Documents

Available under NDA. Contact [email protected] to request.

Data Processing Agreement (DPA) template GDPR Art. 28 + KR 개인정보보호법 aligned
Data Residency statement GCP asia-northeast3 (Seoul) pinned
Security policy summary Public excerpt from internal policy
Privacy Policy
Terms of Service

5. Contact & responsible disclosure

For vulnerability reports, security questions, or compliance inquiries, email [email protected] . Please include reproduction steps and affected endpoints. We acknowledge receipt within 24 hours and target triage within 72 hours. We do not take legal action against researchers acting in good faith under this policy.

Scope: api.schift.io, app.schift.io, schift.io. Out of scope: third-party services (GCP, Cloudflare, OpenAI), social engineering of employees, physical attacks.