Security at
ActionableOutcomes

CastleLink™ protects the data behind the work that matters most. That work includes federal fraud programs that recover billions in taxpayer funds, healthcare oversight that defends vulnerable populations, financial institutions that safeguard trillions in deposits, and government agencies that serve the public. The trust placed in our platform is the trust placed in those missions. We treat it accordingly.

Given the critical work performed on our platform, security is the foundation everything else stands on.

Our team works continuously to harden every layer, from source code to cloud infrastructure to disaster recovery and everything between. We remain ahead of the threats our customers’ missions face.

Three objectives. 
One foundation.

01

Protect the platform.

02

Protect the customers.

03

Protect the missions.

Compliance & Accreditation

COMPLIANCE AND ACCREDITATION
CastleLink is built for the most regulated environments in the world: federal agencies, healthcare systems, financial institutions, and government programs. Compliance isn’t optional and audit trails aren’t theoretical. The platform is designed, deployed, and operated to align with the standards our customers’ missions require.

  • SOC 2 Type II
  • ISO 27001
  • NIST 800-53
  • NIST 800-171
  • FedRAMP (Moderate)
  • FISMA
  • HIPAA
  • HITRUST
  • GDPR
  • CCPA
  • CMMC
  • SSAE 18 / ISAE 3000

For full compliance documentation and audit reports, 
contact our security team

Defense in Depth

DEFENSE IN DEPTH
Defense-in-depth is the discipline. Every layer of the platform is independently hardened, audited, and monitored, so no single failure exposes the whole. The capabilities below operate continuously, across every deployment, by default.

APPLICATION SECURITY
Every line of code is scanned, tested, and validated before it ships.

  • Static Application Security Testing (SAST) across all repositories
  • Source control hardened against sensitive value leakage
  • Automated vulnerability detection across the development lifecycle
  • Language-specific scanners and linters applied at every commit
  • Continuous code review and dependency auditing

SERVER SECURITY
Every server watched, hardened, and logged.

  • Advanced Intrusion Detection Environment (AIDE) on every server
  • Platform- and language-specific external dependency monitoring
  • Centralized security and access log aggregation
  • Real-time log indexing and visualization
  • Hardened OS baselines aligned to industry benchmarks

CLOUD SECURITY
The cloud layer locked down at every entry point.

  • AWS Security Hub operating at maximum supported security standards
  • Two-factor authentication enforced on every user and admin account
  • All servers deployed inside Virtual Private Clouds (VPCs)
  • Network isolation and traffic monitoring across all environments
  • Least-privilege IAM policies enforced platform-wide

ENCRYPTION
Every byte encrypted, at rest and in transit.

  • FIPS-compliant encryption algorithms
  • In-house certificate authority and Public Key Infrastructure (PKI)
  • End-to-end encryption across the full data pipeline
  • Key rotation and lifecycle management
  • TLS 1.3 enforced on all external connections

BACKUPS & DISASTER RECOVERY
Built so nothing gets lost.

  • Write-ahead logging (WAL) on every database
  • Identity provider resource definitions backed up to cloud repositories
  • Audit logs continuously exported and archived
  • Multi-region backup and failover storage
  • Disaster recovery procedures aligned to NIST guidelines

Testing & Disclosure

TESTING AND DISCLOSURE
Continuous testing is how the platform stays defensible. Independent assessments, internal red-team exercises, and customer-driven validation all run on a regular cadence. When something surfaces, we want to know about it before anyone else does.

PENETRATION TESTING
Independent and customer-initiated, on a regular cadence.

  • Annual third-party penetration testing across the platform
  • Internal red team exercises throughout the year
  • Customer-initiated penetration tests permitted under defined conditions
  • Findings tracked, remediated, and re-tested through closure
  • Assessment summaries available to qualified customers under NDA

RESPONSIBLE DISCLOSURE
If you find something, tell us.

CastleLink takes security disclosures seriously. If you’ve identified a vulnerability, whether you’re a customer, a researcher, or a third party, we want to know. We’ll confirm, remediate, and credit your finding through our coordinated disclosure process.

For full compliance documentation and audit reports, 
Contact our security team