Infomaze Sphere handles customer operational data every day — quotes, contracts, service histories, customer records. The standards below aren't marketing; they're what we commit to on every deployment.
Our parent group, Infomaze, is ISO 27001 certified — the international standard for information security management systems. The same security controls and audit procedures apply to Sphere operations.
ISO 27001 covers policies, risk management, access controls, physical security, operational security, and incident response. Certification is audited annually by an accredited third party.
Sphere products are designed with GDPR principles built in — lawful basis for processing, data minimization, purpose limitation, and the rights of data subjects (access, rectification, erasure, portability, restriction, objection).
For customers with EU end users, Sphere can operate under standard Data Processing Agreements (DPAs) and supports EU data residency.
We're in the process of pursuing SOC 2 Type II for the Sphere platform. Expected completion: late 2026.
In the meantime, many of the SOC 2 control objectives — logical access, change management, system monitoring, incident response — are already implemented under our ISO 27001 framework.
For industries with specific compliance requirements — HIPAA for healthcare, PCI-DSS for payment data — we implement the relevant controls on a per-deployment basis and document them in customer-specific DPAs.
Talk to us about your specific compliance needs and we'll outline what we support.
All Sphere traffic uses TLS 1.3 encryption. All stored customer data is encrypted at rest using AES-256.
Database backups, object storage, and log streams inherit the same encryption standards.
Sphere supports regional data residency — US, EU, or Asia-Pacific — so your operational data stays where your regulators (and your customers) expect it.
Choose your region at deployment. Data does not cross regional boundaries without explicit configuration.
Role-based access control across all Sphere products. Granular permissions let you restrict access by feature, customer, or data set.
SSO integration with SAML 2.0 and OIDC for enterprise customers. Multi-factor authentication supported on all accounts.
Every administrative action, data access, and configuration change is logged. Audit logs are retained for a minimum of 12 months and available to customer admins on request.
24/7 monitoring for anomalies, unauthorized access attempts, and performance issues. Security incidents are triaged within our documented incident response procedure.
Encrypted daily backups with configurable retention. Point-in-time recovery available for production databases.
Disaster recovery procedures tested quarterly. Target RPO (recovery point objective) is under one hour; RTO (recovery time objective) is under four hours for most customer deployments.
Defined incident response process with clear roles, escalation paths, and customer notification protocols.
Material security incidents affecting customer data are disclosed to affected customers within 72 hours, in line with GDPR notification requirements.
Customer data remains the property of the customer. We process data on your behalf as outlined in our Data Processing Agreement. We do not sell, share, or use customer data for purposes unrelated to the service.
Export your data in standard formats (CSV, JSON, direct database exports) at any time. No lock-in. If you leave, your data leaves with you.
Customer data is never used to train public AI models. ANSWR is trained on your content for your deployment — isolated per customer, not shared across customers.
Where we use AI APIs from third-party providers (e.g., OpenAI), we use the enterprise APIs with zero-data-retention configurations.
We maintain a current list of subprocessors (cloud infrastructure, email delivery, payment processing, etc.) and notify customers of material changes. Available on request.
We take security reports seriously. If you believe you've found a security vulnerability in any Sphere product or service, please contact us at security@infomazesphere.com.
We acknowledge reports within two business days and commit to working with researchers in good faith. We don't pursue legal action against researchers who follow responsible disclosure practices.
We respond to security questionnaires, share DPAs, and can provide relevant compliance documentation on request. Get in touch and we'll route you to the right team.