Trust Center
Data Protection

How we protect your data

Technical and organizational security measures we implement to keep your compliance data safe.

Security controls

Defense in depth across every layer of our stack.

Encryption

  • AES-256 encryption at rest for all customer data
  • TLS 1.3 encryption in transit for all connections
  • Database-level encryption with AWS KMS managed keys
  • Encrypted backups stored in geographically separate regions

Access controls

  • Role-based access control (RBAC) throughout the platform
  • Multi-factor authentication required for all employee access
  • Principle of least privilege enforced across all systems
  • Quarterly access reviews and automated deprovisioning

Infrastructure

  • Hosted on AWS in SOC 2 Type II certified data centers
  • Virtual private cloud (VPC) isolation for all environments
  • Web application firewall (WAF) protecting all endpoints
  • DDoS protection via AWS Shield

Monitoring

  • 24/7 security monitoring and alerting
  • Real-time intrusion detection and prevention
  • Centralized logging with 12-month retention
  • Automated vulnerability scanning (weekly)

Security architecture

Layered security controls at every level

Network
VPC isolation, WAF, DDoS protection, private subnets, network ACLs
Application
Input validation, output encoding, CSRF protection, secure headers, CSP
Data
AES-256 encryption, field-level encryption for sensitive data, key rotation
Identity
OAuth 2.0, MFA support, session management, secure token handling
Operational
CI/CD security scanning, infrastructure as code, change management

Security practices

How we maintain and improve our security posture.

Incident response

We maintain a documented incident response plan with defined roles, escalation procedures, and communication protocols. Our mean time to detect is under 15 minutes, and we commit to notifying affected customers within 72 hours of confirmed breaches.

Business continuity

Daily encrypted backups with 30-day retention. Recovery point objective (RPO) of 1 hour, recovery time objective (RTO) of 4 hours. Annual disaster recovery testing with documented results.

Vendor management

All vendors with access to customer data undergo security assessment. We maintain a vendor risk register, require SOC 2 reports or equivalent, and include data protection clauses in all contracts.

Penetration testing

Annual third-party penetration testing by qualified security firms. Continuous bug bounty program for responsible disclosure. All critical and high findings remediated within 30 days.

Compliance frameworks

Third-party validated security and compliance.

SOC 2 Type II

Annual audit covering Security, Availability, and Confidentiality trust service criteria.

Certified

ISO 27001

Information security management system certification with annual surveillance audits.

Certified

PCI DSS

Payment Card Industry Data Security Standard compliance for billing data handling.

Compliant

GDPR

European data protection regulation compliance including DPA availability.

Compliant

CCPA

California Consumer Privacy Act compliance with consumer rights support.

Compliant

Data residency

By default, customer data is stored in AWS us-east-1 (N. Virginia) with backups replicated to us-west-2 (Oregon). Enterprise customers can request data residency in EU (eu-west-1, Ireland) or other supported regions.

PrimaryUS East (N. Virginia)
BackupUS West (Oregon)
EU OptionEU West (Ireland)

Need more details?

Download our security documentation package including SOC 2 report, penetration test summary, and completed security questionnaire.

Download Security PackContact Security Team