Here's what that looks like in practice.
Data protection and retention
Your data is encrypted in transit and at rest, company laptops are encrypted, and databases are backed up daily and retained for 30+ days. Custom data retention is available. For EU customers we sign DPAs, and we've supported data-residency requirements with custom deployments, talk to us if that's a need.
Infrastructure that gives attackers less to hit
Sensible runs fully serverless on AWS. There are no servers for us to provision and no hosts to leave unpatched, that entire layer, along with physical and environmental security, is AWS's responsibility under their audited controls. Less surface, fewer ways in.
Access on a need-to-know basis
Nobody gets more access than their role requires. Access is granted by role with documented approval, reviewed at least quarterly, and gated behind MFA over encrypted connections for anything touching production. When someone leaves, their access is gone within 24 hours, not eventually, within a day.
We're watching
AWS GuardDuty gives us continuous intrusion detection, and all infrastructure activity is centrally logged and monitored with automated alerting. We also keep a documented incident response plan and rehearse it at least once a year, so a real incident isn't the first time we run the play.
Security baked into how we ship
Every change moves through a formal development lifecycle. Code is reviewed and approved by a senior engineer before it reaches production, and no one, the author included, ships their own change unreviewed. On top of that, an independent firm pen-tests us at least annually.
The people behind it
Everyone we hire goes through a background check. All staff complete security awareness training every year, covering the threats that actually target teams like ours, phishing, social engineering, and the rest.
Vendors and resilience
We vet the vendors we rely on and review the critical ones at least annually. We maintain a tested business continuity and disaster recovery plan, and we carry cybersecurity insurance for the days that don't go to plan.
Sub-processors
We rely on a small set of trusted third parties to deliver the service:
- AWS, cloud hosting and storage.
- OCR, Microsoft Azure, Google Cloud Vision, AWS Textract, and Lazarus, used to read text from documents.
- AI extraction, OpenAI, Anthropic, and Google Vertex, where you choose to use LLM-based extraction.
Working together
Security is a shared effort. You own your user accounts, API keys, and access tokens, keep them secret, rotate them when it makes sense, and tell us right away if you think any have been compromised.
Found a vulnerability? Tell us.
Email security@sensible.so with a description of the issue, a proof of concept, and a CVSS score if you have one. We triage every serious submission, aim to acknowledge within 5 business days, and resolve critical issues within a week.
When testing, do not:
- Run denial-of-service (DoS or DDoS) attacks, or anything that degrades, disrupts, or threatens the availability of the service.
- Access, alter, exfiltrate, or destroy data that isn't yours. Test only against accounts and data you own or are authorized to use.
- Run high-volume automated scans against our production systems.
- Target our staff, customers, or facilities through phishing, social engineering, or physical means.
To set expectations:
- We don't run a formal bug bounty program, though we've paid for genuine, demonstrated issues before.
- We don't pay for noise: missing headers, DNS nitpicks, raw scanner output, or anything without real, shown impact.
- We already have a pen-testing provider, so we don't accept or pay for unsolicited pentests, monitoring, or other services.