Trust deny.sh.
The complete picture in four pillars: certifications we hold today, engineering controls we have shipped, the controls map against SOC 2 and ISO 27001, and the documents you can pull right now. Every line on this page links to verifiable evidence.
// pillar 1
Certifications
What we hold today, verifiable independently. We do not list certifications we have not earned.
Cyber Essentials
IASME, valid 15 May 2026 through 15 May 2027. Includes £25k cyber liability insurance via Sutcliffe & Co.
Verify on BlockMark →UK GDPR + DPA
Treehouse in Valhalla Ltd is the UK data controller. Privacy policy and DPA published, DPA incorporable into commercial contracts on request.
/dpa →SOC 2 Type II
Controls documented and operating against TSC 2017 (with 2022 Points of Focus). Independent examination on the post-launch funding window. Firm and audit window announced once engaged.
Controls map →ISO 27001:2022
Annex A controls mapped against operational policies. Formal certification on the post-launch roadmap, parallel track ~6 months behind SOC 2.
Controls map →// pillar 2
Shipped engineering controls
Six controls backing the compliance posture above. Every claim lands in code you can read and a dashboard you can open.
01 · live
Audit chain + signed receipts
Tamper-evident hash chain over every operation, RFC 3161 trusted timestamps from an independent TSA, signed receipts you can hand to a regulator.
02 · live
Inheritance state machine
End-to-end inheritance flow with nominee verification, escalation, and release. Custodian-grade evidence of who held what and when.
03 · live
Durable usage metering
Per-tier daily metering with headers, dashboards, and 80 / 95 / 100 percent email alerts. Quota events join the audit chain.
04 · live
BYOK envelope (AWS KMS)
Server-stored ciphertext wrapped with a per-record AES-256-GCM DEK, the DEK itself encrypted under your AWS KMS CMK. Revoke is dark.
05 · live
Pre-built integrations
AWS Secrets Manager custodian, signed outbound webhooks (Datadog, PagerDuty, Slack), and SAML SSO (Okta-compatible, JIT provisioning).
06 · live
Compliance umbrella
This trust center, the controls map (SOC 2 TSC and ISO 27001 Annex A against shipped controls), the lightweight status page, and the honest roadmap blog post.
// pillar 3
Controls map
Every SOC 2 Trust Services Criterion and every ISO 27001:2022 Annex A control mapped to the moat or operational control that evidences it. Public index, with the deeper policy pack assembled under NDA on procurement engagement.
SOC 2 TSC 2017 with 2022 Points of Focus. CC1 governance · CC2 communication · CC3 risk assessment · CC4 monitoring · CC5 control activities · CC6 logical access (audit-chain, inheritance, BYOK, integrations controls) · CC7 system operations (audit-chain, metering, integrations controls) · CC8 change management · CC9 risk mitigation · A1 availability · C1 confidentiality (BYOK, integrations controls) · PI1 processing integrity (audit-chain control).
ISO/IEC 27001:2022 Annex A. A.5 organisational · A.6 people · A.7 physical · A.8 technological (mapped against the same engineering controls and policies).
UK GDPR. Lawful basis, retention, rights, international transfers documented at /privacy and /dpa.
Out of scope today. HIPAA, PCI DSS, FedRAMP. Talk to us if your use case requires a specific posture.
// pillar 4
Documents
Everything you can pull down right now, no NDA required.
// pillar 5
Verifiability
Read the code, check the build, ping the health endpoint, examine the audit chain.
Evaluating deny.sh for procurement?
Write to hello@deny.sh. Under NDA we share the full controls pack: SOC 2 control documentation, ISO 27001 Annex A mapping, vulnerability management policy, vendor list with locations and roles, incident response runbook, business continuity plan, and the data residency matrix per plan tier. Five business day turnaround standard, faster on request.
For security findings, see /disclosure.