Security at Ito

Security is foundational to how we build and operate Ito. This page describes our security program and how to report issues to us.

Reporting a vulnerability

If you believe you've found a security vulnerability in Ito, please email security@ito.ai. Include:

  • A description of the issue and its potential impact
  • Steps to reproduce
  • Any proof-of-concept code or screenshots

We'll acknowledge your report, investigate, and keep you updated on remediation. We ask that you give us a reasonable window to address the issue before public disclosure, and that you avoid privacy violations, data destruction, or service disruption while testing.

Compliance

Ito is currently undergoing a SOC 2 Type II audit. Once the report is available, it will be shared under NDA.

You can contact security@ito.ai for the latest status or to be notified when the report is ready.

Data protection

  • Encryption in transit. All traffic between users and Ito is encrypted with TLS 1.2 or higher.
  • Encryption at rest. Customer data is encrypted at rest using AES-256.
  • Secrets management. Credentials, API keys, and tokens are stored in a managed secrets service and never committed to source control.
  • Data isolation. Customer data is logically segregated, and access is scoped per installation.

Infrastructure

Ito runs on AWS in the United States. We rely on AWS for physical security, environmental controls, and hardware lifecycle management. Our production environment uses:

  • Private networking with restricted ingress
  • Managed, encrypted database and cache services
  • Container-based deployment
  • Infrastructure defined as code and peer-reviewed before changes ship

Access control

  • Access to production systems requires SSO with mandatory multi-factor authentication.
  • Access is granted on a least-privilege basis and reviewed periodically.
  • Production access is logged and auditable.
  • Employee accounts are de-provisioned promptly upon offboarding.

Application security

  • All code changes are peer-reviewed before merging.
  • Static analysis, dependency scanning, and secret scanning run in CI.
  • Dependencies are kept up to date, and known vulnerabilities are triaged on a defined SLA.
  • Authentication uses industry-standard OAuth flows; sessions are stored server-side.

Monitoring and incident response

  • Production systems emit structured logs and metrics to centralized observability tooling.
  • We have a documented incident response plan with defined severity levels, roles, and communication procedures.
  • Customers affected by a security incident will be notified without undue delay.

Employee security

  • All employees complete security and privacy training at onboarding and annually thereafter.
  • Background checks are performed where legally permitted.
  • Employees are bound by confidentiality obligations.

Contact

For security questions, reports, or to request our subprocessor list or SOC 2 status update, please email security@ito.ai

Your first PR tested within 60 minutes.

Connect your repo and Ito starts testing pull requests right away. Each PR includes a full QA report with video, screenshots, and failure details directly in the PR.

Get Started

no credit card required