Security and Compliance at Madison

Last updated: 2 July 2026

This page summarises how we protect customer data. For evidence (including reports, our sub-processor list, security policies and control status) contact our security team at security@meetmadison.ai.


Certifications and Compliance

Our SOC 2 Type II examination is currently underway. We are building and evidencing controls across the Security, Availability and Confidentiality Trust Services Criteria and will publish the independent auditor’s report under NDA once the observation period concludes.

Framework

Status

Evidence

SOC 2 Type II

In Progress

Audit underway; report available under NDA on completion

GDPR

Aligned

DPA and sub-processor list available on request

CCPA/CPRA

Aligned

Privacy disclosures and consumer rights process available on request

To request our current compliance status, completed CAIQ/SIG or a vendor security questionnaire, contact security@meetmadison.ai.


Data Residency and Hosting

Madison operates on established US-based cloud infrastructure. Customer data is stored and processed in the United States.

Where we transfer personal data originating in the EEA or UK, we rely on a documented legal basis (Standard Contractual Clauses or equivalent), disclosed in our sub-processor list.

Our cloud providers maintain independent attestations against ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 1, SOC 2, SOC 3 and PCI DSS. We do not operate our own data centres, routers, DNS or load balancers.


Encryption

  • In transit. TLS 1.2 or higher for all client-to-service and service-to-service communication. HSTS is enforced on web endpoints.

  • At rest. Customer data is encrypted at rest using AES-256 or equivalent encryption provided by our cloud infrastructure. Backups are encrypted to the same standard.

  • Key management. Keys are managed in our cloud provider’s Key Management Service (KMS) with separation of duties between key custodians and data administrators.


Application Security

We treat the application layer as our highest-risk surface.

  • Secure SDLC. Security requirements are considered throughout the software development lifecycle. Automated continuous integration (CI) checks are required before deployment, and security is considered during the design and implementation of new services and material architectural changes.

  • Static and dynamic analysis. Pull requests are scanned using static application security testing (SAST), and third-party dependencies are continuously monitored using software composition analysis (SCA). Production endpoints are scanned using dynamic application security testing (DAST) on a recurring schedule.

  • Dependency management. Vulnerable dependencies are patched according to defined service level objectives based on CVSS severity:

    • Critical: 7 days

    • High: 30 days

    • Medium: 90 days

  • Penetration testing. Independent third-party penetration tests are conducted at least annually against the production environment. Executive summaries are available under NDA.

  • Runtime protection. A managed web application firewall (WAF) monitors and blocks common web attack patterns, including protections aligned with the OWASP Top 10. Industry-standard security headers, including HSTS, X-Frame-Options and X-Content-Type-Options, are enforced on customer-facing services.

Security Frameworks

Our application security practices are informed by recognised industry guidance including:

  • OWASP ASVS

  • OWASP Top 10

  • SANS Top 25

  • MITRE ATT&CK


Infrastructure and Network Security

  • Segmentation. Production, staging and corporate networks are isolated. Production access requires SSO with phishing-resistant MFA and is logged.

  • Monitoring. Centralised logging captures authentication, access and administrative events. Alerts route to on-call engineers. Logs are retained in accordance with policy and protected against tampering.

  • DDoS protection. Edge protection is provided by our cloud and CDN providers and is active by default.

  • Vulnerability management. Infrastructure is scanned continuously. Findings are triaged, assigned and remediated in accordance with the vulnerability remediation SLAs above.


Identity and Access Management

  • Internal access follows the principle of least privilege and is reviewed at least quarterly.

  • All internal systems require SSO with MFA.

  • Production access is restricted to authorised personnel, protected by SSO and MFA where supported, and audit logged.

  • Employee onboarding and offboarding access changes are completed within one business day.


People Security

  • Background checks are conducted for all new hires where legally permitted.

  • All employees and contractors sign confidentiality agreements as a condition of engagement.

  • Security awareness training is mandatory at onboarding and annually thereafter.

  • Role-specific training (including secure coding, data handling and incident response) is delivered to engineering and operations staff.

  • Acceptable Use, Data Classification and Remote Work policies are in force and acknowledged annually.


Vendor and Sub-processor Management

We assess every vendor that handles customer data before engagement and re-assess them on a defined cadence.

Our current sub-processor list (including processing purpose and data location) is available on request.

We notify customers of material sub-processor changes in accordance with our Data Processing Agreement.


Incident Response

We maintain a documented incident response plan covering detection, containment, eradication, recovery and post-incident review. The plan is tested at least annually.

In the event of a confirmed security incident affecting customer data, we will notify affected customers without undue delay and within the timeframes required by applicable law and our Data Processing Agreement. Communications are delivered through your designated security contact.

Report a security incident or suspected compromise: security@meetmadison.ai


Business Continuity and Disaster Recovery

  • Customer data is backed up daily, encrypted and stored in a separate availability zone.

  • Recovery objectives (RTO and RPO) are defined per service tier and tested at least annually.

  • Our Business Continuity Plan covers personnel, supplier and infrastructure failure scenarios.


Data Retention and Deletion

Customer data is retained for the duration of the active subscription.

Following cancellation or expiration, customer data is retained for 12 months to support account restoration, billing and dispute resolution, customer support and business continuity, after which it is permanently deleted from production systems unless retention is required by law.

Deletion Requests

We distinguish between deletion of an individual user account and deletion of an entire organisation.

Deleting a user removes their personal information and organisation memberships but does not delete the organisation’s data. Where that user owns an organisation with an active subscription, ownership must first be transferred so the customer retains administrative access.

Organisation deletion may only be requested by the organisation owner and only once active subscriptions have been cancelled.

Verified deletion requests are normally completed within 30 calendar days.

Backups

Data removed from production may persist in encrypted backups for up to 30 days, retained solely for disaster recovery and not used to restore individual users or organisations except as part of a full system recovery.

Individual Rights

Individual data subjects may exercise their rights under applicable law—including access, rectification, erasure, portability, restriction and objection—by contacting privacy@meetmadison.ai or through the controller of their data.


Customer Responsibilities

Security is a shared responsibility. Customers are responsible for:

  • Configuring strong authentication for their users (we recommend SSO with MFA).

  • Managing roles and permissions appropriately within their workspace.

  • Protecting credentials and API tokens.

  • Reviewing audit logs and access records.

  • Maintaining accurate administrator contact information.


Responsible Disclosure

We welcome reports from security researchers.

If you believe you have found a vulnerability in our application or infrastructure, please email security@meetmadison.ai with:

  • A clear description of the issue and the affected component.

  • Steps to reproduce, including a proof of concept where possible.

  • Your contact information for follow-up.

Scope and Rules of Engagement

  • Test only against accounts and data you own.

  • Do not run automated scanners against production beyond what is necessary to demonstrate the issue.

  • Do not access, modify or exfiltrate other users’ data.

  • Do not publicly disclose the issue until we have confirmed remediation.

We will acknowledge receipt within two business days and will not pursue legal action against researchers who follow this process in good faith.

We currently do not operate a paid bug bounty programme but recognise researchers in our Hall of Thanks upon request.


Information Security Policy

Our Information Security Management System (ISMS) is governed by a formal Information Security Policy, approved by management and reviewed at least annually.

The policy commits Madison to:

  • Protecting the confidentiality of customer and company information against unauthorised disclosure.

  • Maintaining the integrity of information against unauthorised modification.

  • Ensuring the availability of information to authorised users when needed.

  • Granting access on a least-privilege basis, with privileged access strictly controlled and reviewed.

  • Meeting and, where reasonable, exceeding applicable legal, regulatory and contractual requirements.

  • Developing, maintaining and testing business continuity plans.

  • Providing security training and embedding security responsibilities into role descriptions.

  • Protecting employees who report security concerns in good faith from retaliation.

  • Investigating and responding to all reported or suspected information security breaches.

The full policy and supporting standards are available to customers and auditors under NDA.


Contact

Topic

Contact

Security vulnerabilities and incidents

security@meetmadison.ai

Privacy, data subject requests and Data Processing Agreements

privacy@meetmadison.ai

Compliance evidence and security questionnaires

security@meetmadison.ai

General enquiries

hello@meetmadison.ai

Ready to strengthen your online reputation?

Get started today or book a free demo to see how Madison can help you grow your business.

Your AI-Powered Digital Marketing Specialist

© Copyright 2026, All Rights Reserved

Your AI-Powered Digital Marketing Specialist

© Copyright 2026, All Rights Reserved

Your AI-Powered Digital Marketing Specialist

© Copyright 2026, All Rights Reserved

Your AI-Powered Digital Marketing Specialist

© Copyright 2026, All Rights Reserved