Compliance & Certifications

Transparent reporting on our compliance journey and data handling practices.

Transparency Notice

We believe in honest communication about our compliance status. Below you'll find our current certifications, in-progress audits, and planned initiatives. We do not claim certifications we have not yet achieved.

Active

GDPR Compliance

Fully compliant with EU General Data Protection Regulation. Data processing agreements available.

In Progress

SOC 2 Type II

Currently undergoing SOC 2 Type II audit. Expected completion Q2 2026.

Planned 2026

ISO 27001

Information security management system certification planned for 2026.

Data Handling Practices

Encryption Standards

  • TLS 1.3 for all data in transit
  • AES-256 encryption for data at rest
  • Customer-managed encryption keys (CMEK) available for enterprise plans

Data Residency

Customer data is stored in the geographic region of your choice. We support data residency requirements for EU, US, APAC, and other regions. Data does not leave your chosen region without explicit consent.

Data Retention Policies

  • Operational Data:Retained for the duration of your subscription plus 90 days
  • Audit Logs:Retained for 7 years to meet regulatory requirements
  • Backups:Encrypted backups retained for 30 days with point-in-time recovery

Access Controls

Authentication

  • Multi-factor authentication (MFA) required for all users
  • Enterprise SSO with SAML 2.0 and OIDC support
  • Passwordless authentication options available

Authorization

  • Role-based access control (RBAC) with custom roles
  • Principle of least privilege enforced
  • Regular access reviews and automated deprovisioning

Incident Response

We maintain a comprehensive incident response plan to quickly detect, respond to, and recover from security incidents.

Our Response Process

  1. Detection and triage within 1 hour of incident identification
  2. Customer notification within 24 hours for incidents affecting customer data
  3. Root cause analysis and remediation plan within 72 hours
  4. Post-incident review and security improvements implemented within 30 days