Security and Compliance at Madison
Last updated: 2 July 2026
This page summarises how we protect customer data. For evidence (including reports, our sub-processor list, security policies and control status) contact our security team at security@meetmadison.ai.
Certifications and Compliance
Our SOC 2 Type II examination is currently underway. We are building and evidencing controls across the Security, Availability and Confidentiality Trust Services Criteria and will publish the independent auditor’s report under NDA once the observation period concludes.
Framework
Status
Evidence
SOC 2 Type II
In Progress
Audit underway; report available under NDA on completion
GDPR
Aligned
DPA and sub-processor list available on request
CCPA/CPRA
Aligned
Privacy disclosures and consumer rights process available on request
To request our current compliance status, completed CAIQ/SIG or a vendor security questionnaire, contact security@meetmadison.ai.
Data Residency and Hosting
Madison operates on established US-based cloud infrastructure. Customer data is stored and processed in the United States.
Where we transfer personal data originating in the EEA or UK, we rely on a documented legal basis (Standard Contractual Clauses or equivalent), disclosed in our sub-processor list.
Our cloud providers maintain independent attestations against ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 1, SOC 2, SOC 3 and PCI DSS. We do not operate our own data centres, routers, DNS or load balancers.
Encryption
In transit. TLS 1.2 or higher for all client-to-service and service-to-service communication. HSTS is enforced on web endpoints.
At rest. Customer data is encrypted at rest using AES-256 or equivalent encryption provided by our cloud infrastructure. Backups are encrypted to the same standard.
Key management. Keys are managed in our cloud provider’s Key Management Service (KMS) with separation of duties between key custodians and data administrators.
Application Security
We treat the application layer as our highest-risk surface.
Secure SDLC. Security requirements are considered throughout the software development lifecycle. Automated continuous integration (CI) checks are required before deployment, and security is considered during the design and implementation of new services and material architectural changes.
Static and dynamic analysis. Pull requests are scanned using static application security testing (SAST), and third-party dependencies are continuously monitored using software composition analysis (SCA). Production endpoints are scanned using dynamic application security testing (DAST) on a recurring schedule.
Dependency management. Vulnerable dependencies are patched according to defined service level objectives based on CVSS severity:
Critical: 7 days
High: 30 days
Medium: 90 days
Penetration testing. Independent third-party penetration tests are conducted at least annually against the production environment. Executive summaries are available under NDA.
Runtime protection. A managed web application firewall (WAF) monitors and blocks common web attack patterns, including protections aligned with the OWASP Top 10. Industry-standard security headers, including HSTS, X-Frame-Options and X-Content-Type-Options, are enforced on customer-facing services.
Security Frameworks
Our application security practices are informed by recognised industry guidance including:
OWASP ASVS
OWASP Top 10
SANS Top 25
MITRE ATT&CK
Infrastructure and Network Security
Segmentation. Production, staging and corporate networks are isolated. Production access requires SSO with phishing-resistant MFA and is logged.
Monitoring. Centralised logging captures authentication, access and administrative events. Alerts route to on-call engineers. Logs are retained in accordance with policy and protected against tampering.
DDoS protection. Edge protection is provided by our cloud and CDN providers and is active by default.
Vulnerability management. Infrastructure is scanned continuously. Findings are triaged, assigned and remediated in accordance with the vulnerability remediation SLAs above.
Identity and Access Management
Internal access follows the principle of least privilege and is reviewed at least quarterly.
All internal systems require SSO with MFA.
Production access is restricted to authorised personnel, protected by SSO and MFA where supported, and audit logged.
Employee onboarding and offboarding access changes are completed within one business day.
People Security
Background checks are conducted for all new hires where legally permitted.
All employees and contractors sign confidentiality agreements as a condition of engagement.
Security awareness training is mandatory at onboarding and annually thereafter.
Role-specific training (including secure coding, data handling and incident response) is delivered to engineering and operations staff.
Acceptable Use, Data Classification and Remote Work policies are in force and acknowledged annually.
Vendor and Sub-processor Management
We assess every vendor that handles customer data before engagement and re-assess them on a defined cadence.
Our current sub-processor list (including processing purpose and data location) is available on request.
We notify customers of material sub-processor changes in accordance with our Data Processing Agreement.
Incident Response
We maintain a documented incident response plan covering detection, containment, eradication, recovery and post-incident review. The plan is tested at least annually.
In the event of a confirmed security incident affecting customer data, we will notify affected customers without undue delay and within the timeframes required by applicable law and our Data Processing Agreement. Communications are delivered through your designated security contact.
Report a security incident or suspected compromise: security@meetmadison.ai
Business Continuity and Disaster Recovery
Customer data is backed up daily, encrypted and stored in a separate availability zone.
Recovery objectives (RTO and RPO) are defined per service tier and tested at least annually.
Our Business Continuity Plan covers personnel, supplier and infrastructure failure scenarios.
Data Retention and Deletion
Customer data is retained for the duration of the active subscription.
Following cancellation or expiration, customer data is retained for 12 months to support account restoration, billing and dispute resolution, customer support and business continuity, after which it is permanently deleted from production systems unless retention is required by law.
Deletion Requests
We distinguish between deletion of an individual user account and deletion of an entire organisation.
Deleting a user removes their personal information and organisation memberships but does not delete the organisation’s data. Where that user owns an organisation with an active subscription, ownership must first be transferred so the customer retains administrative access.
Organisation deletion may only be requested by the organisation owner and only once active subscriptions have been cancelled.
Verified deletion requests are normally completed within 30 calendar days.
Backups
Data removed from production may persist in encrypted backups for up to 30 days, retained solely for disaster recovery and not used to restore individual users or organisations except as part of a full system recovery.
Individual Rights
Individual data subjects may exercise their rights under applicable law—including access, rectification, erasure, portability, restriction and objection—by contacting privacy@meetmadison.ai or through the controller of their data.
Customer Responsibilities
Security is a shared responsibility. Customers are responsible for:
Configuring strong authentication for their users (we recommend SSO with MFA).
Managing roles and permissions appropriately within their workspace.
Protecting credentials and API tokens.
Reviewing audit logs and access records.
Maintaining accurate administrator contact information.
Responsible Disclosure
We welcome reports from security researchers.
If you believe you have found a vulnerability in our application or infrastructure, please email security@meetmadison.ai with:
A clear description of the issue and the affected component.
Steps to reproduce, including a proof of concept where possible.
Your contact information for follow-up.
Scope and Rules of Engagement
Test only against accounts and data you own.
Do not run automated scanners against production beyond what is necessary to demonstrate the issue.
Do not access, modify or exfiltrate other users’ data.
Do not publicly disclose the issue until we have confirmed remediation.
We will acknowledge receipt within two business days and will not pursue legal action against researchers who follow this process in good faith.
We currently do not operate a paid bug bounty programme but recognise researchers in our Hall of Thanks upon request.
Information Security Policy
Our Information Security Management System (ISMS) is governed by a formal Information Security Policy, approved by management and reviewed at least annually.
The policy commits Madison to:
Protecting the confidentiality of customer and company information against unauthorised disclosure.
Maintaining the integrity of information against unauthorised modification.
Ensuring the availability of information to authorised users when needed.
Granting access on a least-privilege basis, with privileged access strictly controlled and reviewed.
Meeting and, where reasonable, exceeding applicable legal, regulatory and contractual requirements.
Developing, maintaining and testing business continuity plans.
Providing security training and embedding security responsibilities into role descriptions.
Protecting employees who report security concerns in good faith from retaliation.
Investigating and responding to all reported or suspected information security breaches.
The full policy and supporting standards are available to customers and auditors under NDA.
Contact
Topic
Contact
Security vulnerabilities and incidents
security@meetmadison.ai
Privacy, data subject requests and Data Processing Agreements
privacy@meetmadison.ai
Compliance evidence and security questionnaires
security@meetmadison.ai
General enquiries
hello@meetmadison.ai
Ready to strengthen your online reputation?
Get started today or book a free demo to see how Madison can help you grow your business.