Security and Compliance

Draftt is built on robust security principles and stringent compliance standards, designed to safeguard your data and maintain trust. This document provides an overview of Draftt’s security practices and compliance adherence.

Our Commitment to Compliance

Draftt is SOC 2 Type II certified, demonstrating stringent controls across security, availability, and confidentiality of customer data. Additionally, Draftt adheres to internationally recognized standards, including ISO 27001 (Information Security Management) and GDPR (Data Protection).

We support your vendor security assessments by providing transparent access to relevant certifications, attestations, security policies, and detailed reports upon request.

Draftt actively engages in routine third-party audits and penetration testing to maintain the highest security standards and continuously improve our defensive posture.

Secure Data Management

Draftt employs advanced security measures to protect customer data both in transit and at rest. All data exchanges between Draftt and your environment utilize secure SSL/TLS (HTTPS) encryption. Internally, Draftt ensures secure storage of sensitive data, leveraging industry-standard encryption methods (AES-256) and secure management of cryptographic keys.

Draftt infrastructure operates within a secure, isolated cloud environment (VPC), with backend system access strictly controlled. Draftt follows industry best practices rigorously to ensure your data and configurations remain secure and inaccessible to unauthorized entities.

Draftt exclusively accesses and stores your tech stack metadata and configuration data essential for managing your tech stack lifecycle operations and governance. Draftt does not access, process, or store content from your application workloads, customer-owned data, or any personally identifiable information (PII) other than the ones explicitly mentioned in our policies. Draftt adheres strictly to the principle of least privilege, ensuring only the minimum necessary information required for infrastructure lifecycle management and governance is collected.

Privacy and Responsible AI Practices

Draftt places utmost priority on maintaining the privacy and security of your data. While leveraging advanced analytics and automated insights, Draftt explicitly ensures that your information is never used to train external AI models. Your data is used exclusively to enhance your direct experience with Draftt’s services, strictly adhering to comprehensive data privacy policies and practices.

Robust Tenant Data Isolation

Draftt implements a robust, multi-layered data isolation strategy to protect your information within our multi-tenant architecture. Key components of Draftt’s data isolation approach include:

• Data Segregation and Tenant-First Architecture: Draftt’s platform is explicitly designed around tenant isolation, ensuring data processing and operations remain confined to the tenant-specific context, with identity verification at every operational step. Customer data is logically segregated, ensuring robust protection against unauthorized access or data leakage between tenants.

• Encryption Standards: Data encryption is enforced both at rest and in transit, using robust encryption protocols alongside dedicated, tenant-aware key management systems.

• Comprehensive Access Control: Draftt enforces strict, role-based access controls throughout its infrastructure, ensuring users and services access only authorized data within clearly defined boundaries.

• Continuous Monitoring and Auditing: Draftt continuously monitors and audits its systems to promptly detect, analyze, and respond to potential security threats. Regular security audits, vulnerability assessments, and penetration tests are conducted to validate the strength of isolation and security controls.

Through these comprehensive and proactive security practices, Draftt remains unwavering in its commitment to protecting the confidentiality, integrity, and availability of your data.