Security & Compliance

Enterprise security
without compromise.

The platform is built from the ground up for the security requirements of regulated, global enterprises. Every layer of our platform is independently audited, continuously monitored, and designed so your data never leaves the boundaries you set.

View certifications ↓

Certifications & Attestations

Independently audited. Continuously maintained.

Every certification listed below is current, third-party audited, and available for customer review under NDA. We don't let certifications lapse.

SOC 2 Type II

Annual third-party audit of security, availability, processing integrity, confidentiality, and privacy controls across the platform. Report covers a trailing 12-month period and is renewed every year.

Scope: All production systems and supporting infrastructure

ISO 27001

ISO/IEC 27001:2022

International standard for information security management systems (ISMS). Our certification covers our engineering, operations, support, and development environments — not just production hosting.

Scope: information security management system — full organizational scope

GDPR & EU Data Compliance

We operate as both a Data Processor and Data Controller depending on your configuration. Standard Contractual Clauses (SCCs) and a Data Processing Agreement (DPA) are available for all customers on request.

Scope: EU/EEA data residency options available in Frankfurt and Dublin

HIPAA Eligible

HIPAA Eligibility

We sign Business Associate Agreements (BAAs) with all healthcare customers. Our platform supports HIPAA-eligible workloads with configurable data handling policies, access controls, and audit logging that meet PHI requirements.

Scope: Healthcare and life sciences customers with BAA in place

FedRAMP Moderate

FedRAMP Moderate Authorization

Our GovCloud deployment is authorized at the FedRAMP Moderate impact level, making it suitable for U.S. federal agencies and contractors handling controlled unclassified information (CUI).

Scope: GovCloud deployment in US-Gov-East and US-Gov-West regions

PCI DSS

PCI DSS Level 1

For customers processing payment card data, we maintain PCI DSS Level 1 compliance — the highest level of certification. Quarterly network scans and annual on-site assessments are conducted by a Qualified Security Assessor (QSA).

Scope: payment processing environments and cardholder data infrastructure

Security Framework

Security by design. Defense in depth.

We don't rely on a single security control. The security model layers multiple independent defenses so that no single failure exposes your data.

Data Encryption

All data is encrypted at every stage — at rest and in transit — with no exceptions. Customer-managed keys (CMK) are available for organizations that require control over their own encryption keys.

AES-256-GCM encryption at rest across all storage tiers
TLS 1.3 in transit — older protocols are disabled by default
Customer-managed keys (CMK) with AWS KMS, Azure Key Vault, or GCP KMS
Field-level encryption available for sensitive data elements

Identity & Access Control

Zero-trust access architecture with granular role-based permissions, single sign-on, and multi-factor authentication enforced by default. Every access decision is logged with full context.

SAML 2.0 and OIDC SSO integration — works with any IdP (Okta, Azure AD, PingFederate, etc.)
Granular RBAC down to individual field and row level
MFA enforced for all users — hardware keys, TOTP, and push notifications supported
Privileged access management (PAM) with just-in-time access for admin operations

Immutable Audit Logs

Every action in the platform — every login, every data access, every configuration change — is logged with tamper-evident audit trails. Logs cannot be modified or deleted, even by platform administrators.

Immutable audit log with cryptographic integrity verification
Configurable log retention from 1 to 10 years to meet regulatory requirements
Real-time SIEM export via syslog, Splunk HEC, or Amazon Security Lake
Exportable for external compliance audits at any time in standard formats

Infrastructure Security

Network-level controls, runtime threat detection, and proactive vulnerability management protect the underlying infrastructure. Our security operations center monitors all production systems 24/7/365.

Network segmentation with zero-trust micro-perimeters between services
Web Application Firewall (WAF) and DDoS protection at all ingress points
Container runtime security with behavioral anomaly detection
Annual third-party penetration testing — results shared with enterprise customers

Data Privacy

Your data stays where you put it.

Data residency, data sovereignty, and privacy compliance are not optional features — they are built into Our architecture from day one.

Data Residency by Region

Choose where your data is stored and processed: North America, European Union, United Kingdom, Asia Pacific, or GovCloud. Data at rest never crosses regional boundaries without explicit customer authorization.

GDPR, CCPA & Global Privacy Compliance

We support data subject rights out of the box — including right of access, right to erasure, data portability, and consent management. CCPA and LGPD compliance toolkits are included for all enterprise customers.

Data Processing Agreements

Standard Contractual Clauses (SCCs), Data Processing Agreements (DPAs), and Business Associate Agreements (BAAs) are available for all customers. Our legal team responds to DPA requests within 2 business days.

Data Retention & Deletion

Configurable data retention policies per module and data type, with automated deletion workflows at end of contract. Customer data is cryptographically wiped within 30 days of contract termination — with a certificate of deletion provided.

Deployment Options

Deploy where your policy requires.

We support three deployment models. Every model receives the same product updates, SLA, and support tier.

Most common

Cloud

Multi-tenant SaaS deployment in your preferred region (NA, EU, UK, APAC, GovCloud). Fully managed by — automatic updates, backups, and scaling. 99.98% uptime SLA included.

For regulated industries

Dedicated Private Cloud

Single-tenant deployment in a managed dedicated environment in your chosen cloud provider (AWS, Azure, or GCP). Logical and physical isolation from all other customers. Custom SLAs available.

For sovereign requirements

On-Premises / Air-Gapped

Full on-premises deployment on customer-managed infrastructure, including fully air-gapped environments for defence, intelligence, and critical infrastructure customers. our engineers provide deployment support and annual on-site updates.

Questions about our security posture?

Our security team is available to answer detailed technical questions, review our audit reports, and walk through our controls for your specific compliance requirements.

Enterprise securitywithout compromise.