Compliance

Page last updated: 16 May 2026

At a glance

deny.sh holds one externally verified certification today (Cyber Essentials) and documents controls aligned to two further standards (SOC 2 Type II, ISO 27001) without yet engaging an independent auditor. A third-party cryptographic audit of the construction is on the roadmap. We track every claim against where you can verify it.

Cyber Essentials

Cyber Essentials is the UK government-backed baseline assurance scheme operated by the IASME Consortium. It covers five technical controls: boundary firewalls, secure configuration, user access control, malware protection, and security update management. It is an annual certification with a written self-assessment scored against IASME's assessor question set. Our scope was the deny.sh production sub-set, including the droplet operator and the production application surfaces; out-of-scope items (research hardware, unrelated personal devices) were excluded per IASME's documented carve-out rules.

The certificate is recorded on the BlockMark Registry and verifiable by the certificate ID above. Renewal falls on 15 May 2027. A standard certificate includes £25,000 of cyber liability insurance via Sutcliffe & Co, bundled with the IASME issuance.

UK GDPR and DPA

Treehouse in Valhalla Ltd is the UK data controller for the deny.sh service. The privacy policy sets out the lawful bases for processing, the categories of personal data handled, retention periods, and the rights customers have under the UK GDPR and Data Protection Act 2018. A Data Processing Agreement is published at /dpa and can be incorporated into commercial contracts on request.

International transfers are addressed in section 8 of the privacy policy: where data is replicated outside the UK, transfers rely on UK-US Data Privacy Framework adequacy regulations or the UK International Data Transfer Addendum to the EU SCCs.

SOC 2 Type II controls

We maintain a controls documentation pack aligned to the SOC 2 trust services criteria (security, availability, confidentiality). The pack covers access management, change management, encryption at rest and in transit, vulnerability management, vendor management, incident response, and business continuity. The controls are operating today; they have not yet been examined by an independent SOC 2 auditor, and we will not describe them as "audited" or "certified" until they have been.

An independent SOC 2 Type II examination is on the post-launch roadmap. We expect to engage an audit firm in the period after the launch funding window closes. When the engagement begins, this page will be updated with the firm name, the audit window, and the expected report date. Until that engagement exists, we describe the posture as "controls documented and operating", not "audit in progress".

ISO 27001 Annex A mapping

The same controls documentation pack maps our operational policies against the ISO/IEC 27001:2022 Annex A controls. The mapping is internal evidence that we have thought through each control category; it is not a certification, and we will not describe it as one. Formal ISO 27001 certification is on the post-launch roadmap on the same timeline as the SOC 2 examination above.

Independent cryptographic audit

The deny.sh construction (scrypt key derivation, AES-256-CTR encryption, XOR composition) is documented in the whitepaper with a prose companion at /security and a threat model at /threat-model. We have not yet commissioned an independent cryptographic audit of the construction or the reference SDK implementations. We expect to engage a credentialed cryptography firm post-launch on a scope covering the primitive, the byte-compatible reference SDKs (TypeScript, Rust, Go, Python), and the hosted API. When the engagement is firm, we will publish the firm name, the scope, and the expected delivery date on this page and on /security. Results will be published in full when complete; we will not redact findings.

Until then, the evidence available is: the construction in plain text (/security), the whitepaper (/whitepaper), the open-source reference implementations (github.com/deny-sh-crypto), and the published reproducible-build and SRI manifest (/verify).

Penetration test

No external penetration test has been commissioned to date. The same post-launch funding window that covers the cryptographic audit and the SOC 2 examination is the window we expect to commission a third-party pentest in, covering the public web surfaces, the hosted API, and the SDKs in their default integration mode. We will publish the firm and date when commissioned, and a summary report (with operational specifics redacted only where necessary) when complete.

Procurement pack

If you are evaluating deny.sh for an enterprise procurement and need any of the following under NDA, write to hello@deny.sh:

• SOC 2 Type II controls documentation pack
• ISO 27001 Annex A mapping
• Internal vulnerability management policy and recent scan summary
• Vendor and subprocessor list with locations and roles
• Incident response runbook (redacted operational specifics)
• Business continuity and disaster recovery plan
• Data residency matrix per plan tier

We aim to turn procurement requests around within five business days. If a deadline is shorter, say so in the email.

What we will not say

We will not describe ourselves as "SOC 2 certified" until we are. We will not describe an audit as "in progress" until we have signed an engagement letter. We will not list a partner certification (HIPAA, PCI DSS, FedRAMP) on the strength of an aligned subprocessor; the certification belongs to the entity audited, not to a vendor downstream of it. The point of this page is that you can read every claim above and verify each one without taking us on faith.

Contact

Compliance questions, procurement requests, or audit scoping discussions: hello@deny.sh. Security findings: security@deny.sh (see /disclosure for the coordinated policy and GPG key).