SDR Agent

Security & Compliance

Cold Agent is built with security at its foundation. We follow industry best practices and are actively pursuing SOC 2 Type I certification to provide our customers with independently verified assurance of our security controls.

SOC 2 Trust Service Criteria

Security

We protect customer data through defense-in-depth controls across every layer of the stack.

  • All data encrypted at rest using AES-256 via AWS DynamoDB and Secrets Manager encryption
  • All data encrypted in transit using TLS 1.2+ with modern cipher suites
  • AWS WAF deployed at the edge with managed rule sets for OWASP Top 10 protection
  • Content Security Policy (CSP) headers enforced on all endpoints to prevent XSS and injection attacks
  • Automated vulnerability scanning and dependency auditing in CI/CD pipelines

Availability

Our infrastructure is designed for high availability and resilience, targeting 99.9% uptime.

  • Multi-region AWS deployment with automated failover capabilities
  • Health monitoring with sub-minute granularity via CloudWatch and custom probes
  • 99.9% SLA target with monthly uptime reporting
  • Auto-scaling compute and database throughput to handle traffic spikes
  • Disaster recovery plan with defined RPO and RTO targets

Confidentiality

Customer data is isolated and protected through strict access controls and encryption boundaries.

  • Tenant data isolation with row-level security and partition-key scoping in DynamoDB
  • Per-tenant encryption keys managed through AWS KMS with automatic rotation
  • Role-based access control (RBAC) with least-privilege enforcement for all internal systems
  • No cross-tenant data access — queries are scoped to the authenticated tenant
  • Secrets (API keys, SMTP credentials) stored in per-tenant Secrets Manager entries, never in code or config files

Processing Integrity

We ensure data is processed completely, accurately, and in a timely manner.

  • Dead Letter Queue (DLQ) monitoring with alerting on failed message processing
  • Circuit breaker patterns on all external service integrations to prevent cascade failures
  • Automated retry with exponential backoff for transient failures
  • Idempotency keys on all write operations to prevent duplicate processing
  • End-to-end audit trail for email sends, lead updates, and campaign state transitions

Privacy

We respect user privacy and comply with global data protection regulations.

  • GDPR-compliant data export and deletion workflows — request via Settings or email
  • Data Processing Agreement (DPA) available for all customers upon request
  • Data residency options: choose US or EU region for data storage
  • Data minimization — we collect only what is necessary to provide the Service
  • Regular privacy impact assessments for new features and integrations

Infrastructure

Cold Agent runs entirely on AWS, provisioned and managed through AWS CDK (Infrastructure as Code). All infrastructure changes go through code review and are deployed via CI/CD with automated rollback. We use isolated VPCs, private subnets for backend services, and AWS PrivateLink where applicable. No production data is accessible from development environments.

Access Controls

Authentication is handled through Amazon Cognito with support for email/password and social login. Multi-factor authentication (MFA) is available for all accounts and enforced for admin roles. Account lockout engages after repeated failed login attempts. Internal access to production systems requires VPN, MFA, and approval — all sessions are logged and auditable.

Data Protection

Each tenant's sensitive credentials (SMTP passwords, API keys, OAuth tokens) are stored in dedicated AWS Secrets Manager entries with per-tenant KMS encryption keys. KMS keys are automatically rotated annually. Database backups are encrypted and retained for 35 days with point-in-time recovery enabled. All PII fields support pseudonymization for analytics workloads.

Incident Response

We maintain a documented incident response plan with defined severity levels, escalation paths, and communication templates. Critical alerts route to on-call engineers via PagerDuty with 5-minute acknowledgment SLAs. CloudWatch alarms, CloudTrail logs, and GuardDuty findings feed into our SIEM for correlation and investigation. Post-incident reviews are conducted for all Sev-1 and Sev-2 events.

Compliance Certifications

Cold Agent is currently undergoing SOC 2 Type I audit preparation. We have implemented controls aligned with the AICPA Trust Services Criteria across all five categories: Security, Availability, Confidentiality, Processing Integrity, and Privacy. Our target completion date is Q3 2026. Upon completion, the SOC 2 report will be available to customers and prospects under NDA.

Questions?

For security inquiries, vulnerability reports, or to request our SOC 2 readiness documentation, contact our security team at security@getcoldagent.com. We respond to all security-related inquiries within one business day.