How we protect your data.

Data protection

• AES-256 encryption at rest, TLS 1.3 in transit.
• Per-customer encryption keys with quarterly rotation.
• Field-level encryption available for PII on Enterprise plans.
• Backup encryption mirrors production posture.

Identity & access

• SSO via SAML 2.0 and OIDC, SCIM provisioning.
• Hardware-key MFA enforced for all internal access to production.
• Just-in-time access for production with full audit trail.
• Quarterly access reviews of privileged roles.

Network & isolation

• Cloud-native AWS architecture with multi-region active-active deployment.
• Microservices on Kubernetes — each capability independently scoped.
• Multi-tenant by default; single-tenant deployments on Enterprise.
• Per-customer data isolation enforced at the storage layer.
• Private cloud and BYO-cloud deployment options.
• VPC peering and PrivateLink available for direct integration.
• Regional data residency for EU, US, and APAC.

Monitoring & response

• 24/7 SIEM with named SOC analysts.
• Automated anomaly detection on auth and data-access patterns.
• Incident response runbooks with quarterly tabletop exercises.
• Customer notification within 24 hours of any qualifying incident.

Application security

• Annual external penetration tests with public summary.
• Continuous SAST/DAST scanning in CI.
• Dependency scanning with auto-PR for security updates.
• Bug bounty program — invite-only, generous payouts.

Operational hygiene

• Mandatory security training on hire and annually thereafter.
• All laptops MDM-managed with full-disk encryption.
• No production access from personal devices.
• Vendor risk reviews on every subprocessor before onboarding.