Encrypted in transit and at rest
TLS 1.3 on every connection, AES-256 on managed Postgres + object storage, customer-managed keys on request.
Trust
Compliance you can verify in one click.
Our compliance posture, the controls behind it, and where the data physically lives. We treat enterprise diligence as a first-class feature, not an afterthought.
Certifications & frameworks
SOC 2 Type II
Audited
Annual third-party audit covering security, availability, and confidentiality. Report available under NDA.
GDPR
Audited
EU data protection agreement, processor terms, and cross-border transfer mechanisms in place.
ISO 27001
In progress
Information security management system aligned to ISO 27001 controls. Certification audit in flight.
HIPAA
In progress
BAA-ready posture for healthcare workloads. Customer-side activation requires a signed agreement.
PCI DSS
Audited
Stripe handles cardholder data end-to-end. We never touch a PAN; SAQ A scope only.
CCPA
Audited
California consumer rights honoured globally — access, deletion, and opt-out flows wired into the dashboard.
Operating principles
Least-privilege access
Row-level security on every table, role-scoped admin actions, hardware-backed SSO for staff with mandatory 2FA.
Continuous third-party audits
External penetration tests twice a year. Static analysis + dependency review on every PR.
Choose your data residency
EU, US, or APAC primary regions. Backups stay in-region with documented retention windows.
Need a deeper look?
Read the security model or pull the latest status — every artefact links back here.