Sovereign architecture for the surface your security team never reached.

256-bit AES encryption at rest including backups and system media. TLS 1.2+ enforced in transit (audit control CC6.6.3). Customer-managed KMS keys via AWS KMS. Per-customer encryption boundaries with VPC isolation available. Production cloud access restricted to private virtual networks via Pritunl/OpenVPN under principle of least privilege.

Native integration with enterprise IdPs: Microsoft Entra ID, Okta, Ping Identity, Google Workspace — via SAML 2.0 and OIDC. MFA enforced for administrative access (audit control CC6.1.3): 14-character minimum passwords, complexity rules, 90-day rotation. SCIM 2.0 just-in-time provisioning. RedeKey reconciles frontline identity sources (badge, clock-in, contractor records).

Automated HRIS synchronization via secure SFTP. Endpoint: ssh.redeapp.com (port 22, SSH public-key authentication, asymmetric cryptography via OpenSSH). TSV preferred format. Termination flag in HRIS feed triggers automated user deprovisioning + remote device wipe — erasing corporate messages, file repositories, and cache from the employee's mobile device.

Compliance-grade activity logging via Scout. SOC 2 Type II audit-ready event stream. Customer-controlled retention and export. Annual external third-party penetration tests on web and mobile applications (CC4.1.1). Breach notification SLA: any verified data breach reported without unreasonable delay, with a 10-calendar-day legal notification window per Master Services Agreement and BAA.