Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.summand.com/llms.txt

Use this file to discover all available pages before exploring further.

Summand is built for regulated industries. The full set of controls — data residency, audit retention, key management, penetration testing — is implemented at the infrastructure level on AWS, with identity controls layered through WorkOS.

Frameworks

FrameworkStatus
HIPAACompliant. BAA available for Enterprise customers handling PHI.
SOC 2 Type IIAudited annually. Latest report available under NDA.
ISO 27001Aligned. Certification on roadmap.
GDPRCompliant for processing of EU personal data. DPA available.
CCPACompliant for processing of California consumer data.

What’s covered

Data at rest

  • AWS-managed KMS encryption on all DynamoDB tables, S3 buckets, and Secrets Manager secrets.
  • Customer data is logically isolated per organization.
  • Backups are encrypted with the same KMS keys; backup retention aligns with the source data’s retention.

Data in transit

  • TLS 1.2+ for every external connection. TLS 1.3 preferred.
  • Database connectors require certificate validation; self-signed certs are rejected.
  • Internal service-to-service traffic is also TLS-encrypted within AWS VPCs.

Identity and access

  • All authentication routed through WorkOS, which is itself SOC 2 Type II compliant.
  • MFA enforceable at the org level (WorkOS) and at sensitive-operation level (Summand).
  • Sessions are managed by WorkOS AuthKit and refresh on the standard short-cookie/long-refresh pattern. Enterprise customers can adjust session lifetime per-org through the WorkOS Admin Portal.
  • Cookie attributes: HttpOnly, Secure, SameSite=Lax for CSRF protection.

Audit and monitoring

  • All identity events retained for 6+ years (WorkOS).
  • All application events retained 1-6 years depending on tier.
  • Log streaming to customer-controlled SIEMs (Datadog, Splunk, S3, HTTPS).
  • CloudWatch alarms on Lambda errors, DLQ depth, and authorization failures.

Operational security

  • Annual third-party penetration test; report shared under NDA on request.
  • Quarterly internal vulnerability scans.
  • Dependencies tracked via Dependabot; security-relevant updates merged within 7 days.
  • Production access via federated identity (no shared credentials); all production sessions logged.

Personnel

  • Background checks for all employees with production access.
  • Annual security awareness training.
  • Access provisioning and deprovisioning automated through your-IdP-of-record (we use the same WorkOS we sell).

HIPAA-specific notes

For Protected Health Information (PHI):
  • A Business Associate Agreement (BAA) is required and provided to all Enterprise customers handling PHI.
  • PHI must be processed within Summand’s HIPAA-eligible services. By default, all Summand infrastructure is HIPAA-eligible.
  • Audit log retention is set to 6 years to meet HIPAA’s audit standard.
  • Optional: dedicated infrastructure for organizations with the strictest requirements. Contact sales.
The standard Enterprise tier is suitable for most PHI workloads. For MIPS, the most stringent NIST 800-53 controls, or FedRAMP Moderate-equivalent profiles, contact sales.

GDPR / data protection

  • Summand processes personal data only as instructed by the customer (data controller). We’re a processor under GDPR.
  • A Data Processing Addendum (DPA) is included in every Enterprise contract.
  • Subprocessors are listed on our trust page. Material changes are notified 30 days in advance.
  • Customer data can be deleted on request; a confirmation of deletion is provided within 30 days.

Data residency

  • All Summand infrastructure runs in AWS us-east-1 (Northern Virginia).
  • For customers with strict residency requirements outside the US, contact sales@summand.com — alternative regions can be discussed under contract.

Subprocessors

A complete, current list lives at summand.com/subprocessors. The headline ones:
  • AWS — primary infrastructure
  • WorkOS — identity, SSO, Directory Sync, audit logs
  • Stripe — billing
  • Anthropic — backs the Summand AI assistant
  • Vercel — frontend hosting

Customer responsibilities

A few controls are yours to configure:
  • MFA enforcement — required vs. optional, set per org.
  • SSO setup — verify domains, configure connections.
  • Sharing decisions — who you grant access to, and at what visibility.
  • Audit log review — Summand exposes the data; routine review is your security team’s responsibility.
  • Off-boarding — pair SSO with Directory Sync so user removal is automatic.

Asking for documents

For NDA-gated artifacts (SOC 2 report, pen test report, DPA, BAA), email security@summand.com from a verified work address. Standard turnaround is 1-2 business days.