Security reviews and vendor due diligence

This article is for teams running a security review of Parsio. It points to official policies, provides concise answers for questionnaires, and explains how to reach us if you need something specific.

Official references (primary sources)

• Data protection: https://parsio.io/data-protection/

• Security: https://parsio.io/security/

• Privacy policy: https://parsio.io/privacy/

• GDPR: https://parsio.io/gdpr/

• DPA: https://parsio.io/dpa/

Copy-ready answers (short form)

Ownership of data
Customers keep full ownership of their content. We process data only to provide the requested service.

AI/LLM usage
Customer data is not sold and is not used to train or improve AI/LLM models.

Encryption in transit
HTTPS with modern TLS (TLS 1.2+).

Encryption at rest
AES-256 (including encrypted Amazon S3 for object storage).

Data location
Hosted on trusted cloud providers with encryption at rest. Primary databases are in the United States (USA).

Cloud providers & storage
We rely on reputable cloud platforms and encrypted Amazon S3. See the current provider list on our Security page.

Access controls
Production access is restricted to authorized staff following least-privilege and is logged.

Backups & resilience
Automated, regular backups; distributed and scalable infrastructure; 24/7 monitoring and alerting.

Retention & deletion
Configurable retention (commonly 1–180 days) plus on-demand deletion of items or accounts.

Password handling
Passwords are stored with one-way hashing (e.g., bcrypt). Plaintext passwords are never stored.

Subprocessors
A small, vetted set of providers (cloud, storage, database, payments, support, AI). Current list and purposes are on the Security page.

Compliance
Aligned with GDPR. International transfers use appropriate safeguards (e.g., SCCs). See GDPR and the DPA for details.

Incident response
Documented procedures and continuous monitoring. If a notifiable breach occurs, we will notify affected customers and, where required, regulators within 72 hours.

Where to find common questionnaire topics

• Technical & organizational controls: Security

• Privacy, legal bases, and rights: Privacy policy and GDPR

• Data processing terms: DPA

• High-level overview: Data protection

Extra details for reviewers

• Location: primary databases are in the USA.

• Encryption: TLS 1.2+ in transit; AES-256 at rest (including S3).

• Providers: reputable cloud hosting plus limited subprocessors (e.g., Google Cloud Platform, DigitalOcean, Amazon S3, MongoDB Atlas, Microsoft, Stripe, Crisp, Mistral/OpenAI for AI services).

• Monitoring: centralized logs with 24/7 monitoring and alerting.

• Retention: configurable (1–180 days) with self-service deletion.

• SDLC: peer reviews, automated testing, dependency/security scanning via CI/CD.

• IR: documented runbooks and notification timelines aligned with GDPR.

For authoritative answers, always refer to our main site:
Data protection • Security • Privacy policy • GDPR • DPA