Security
How we protect the data you trust us with.
A living trust surface — certification status, control matrix, architecture diagram, disclosure SLA. We don't claim attestations we don't hold; what's mapped here is dated and self-attested.
Certification
What we are — and are not — certified for
Up-front disclosure of every major compliance framework. The control matrix further down maps to these frameworks for evaluation; it is not a substitute for third-party attestation.
Certification status · self-disclosed
GDPR / KVKKAlignedData-controller obligations met. DSR endpoint, subprocessor list, and DPA available. Turkey KVKK aligned.
CCPAAlignedCalifornia consumer privacy rights supported. Data access, deletion, and opt-out mechanisms implemented.
SOC 2 Type IINot certifiedNo attestation issued. Controls mapped below are self-attested against the Trust Services Criteria.
ISO 27001Not certifiedNo certificate of conformity. Annex A controls mapped, ISMS not externally audited.
PCI DSSScope-limitedCardholder data never enters TeleRadar — our third-party payment processor handles all PAN/CVV. SAQ-A scope only.
CRESTNot applicableCREST accredits pentest/SOC service providers. TeleRadar is a SaaS platform, not a CREST-scoped service.
Controls
Mapped · implemented · dated
ControlAreaDescriptionStatusLast review
CC6.1AccessLogical access via SSO + MFA for all operator accountsimplemented2026-06-01
CC6.6AccessPeriodic access review across all service accountsimplemented2026-05-15
CC6.7AccessMFA enforced for privileged and administrative accessimplemented2026-05-28
CC6.8AccessMalicious code prevention on all endpointsimplemented2026-06-02
A.8.24EncryptionCryptographic controls for data at rest and in transitimplemented2026-06-01
A.10.1EncryptionKey management lifecycle with automated rotationimplemented2026-06-10
CC7.1MonitoringConfiguration change detection across infrastructureimplemented2026-06-05
CC7.2MonitoringAnomaly detection on Telegram message pipelinesimplemented2026-06-05
CC8.1ChangeChange management with PR review and CI/CD gatesimplemented2026-06-01
A.8.23DataData classification and handling proceduresin-progress—
CC4.1RiskContinuous risk monitoring and threat modelingimplemented2026-05-20
CC9.2VendorVendor risk assessments for third-party servicesimplemented2026-06-08
Architecture
The encryption path
A Telegram message enters our system through five stages. Each stage has its own key material, its own audit trail, and its own tamper-evidence.
01Ingest
TLS 1.3 · mutual cert
Telegram MTProto gateway → regional ingest buffer
Protects withTLS handshake · MITM-resistant · cert pinning
02Transit
In-flight envelope
Envelope encryption before regional replication
Protects withPer-tenant DEK wrap · KMS-managed · auditable
03Vault
AES-256-GCM at rest
Partitioned object storage + encrypted document database
Protects withPer-workspace keys · 90-day rotation · HSM-rooted
04Serve
Scoped token · TLS 1.3
API & dashboard reads — never full vault scope
Protects withShort-lived JWTs · IP allow-list · MFA for admin
05Egress
HMAC-signed webhooks
Customer destination, redacted per policy
Protects withSHA-256 HMAC · customer-held secret · replay window
Disclosure · 01
PGP & contact
Emailsecurity@teleradar.org
Fingerprint8F4C 2E19 5D73 BBA8 61D2 4F09 7A38 EC11 CD45 9A02
Key ID0x7A38EC11CD459A02
AlgorithmRSA-4096 / SHA-512
Expires2028-01-15
Disclosure · 02
Response SLAs
Acknowledgment24 hEvery report · every severity
Triage update5 business daysPreliminary severity + reproduction
Critical fix14 daysOr coordinated disclosure window
High-severity fix30 daysPatch + advisory
Public advisory90 daysAfter fix · or sooner by agreement
Need the full packet?
NDA'd PDF: architecture, sub-processors, control matrix, penetration test summary.