Security & compliance
Trust, evidenced
The controls, certifications, and data-handling practices that let your auditors sign off.
SOC 2
SOC 2 Type II
in progress
ISO
ISO 27001
planned
GDPR
GDPR
aligned
HIPAA
HIPAA
ready
We publish status honestly. "In progress" means an active engagement with an external auditor, not an aspiration.
Data handling
- Payload logging is configurable per tenant — metadata-only mode available
- Retention windows set by you, enforced by the platform
- Self-hosted deployments: data never leaves your network
- Deletion requests honoured across all stores
Access controls
- SSO via OIDC and SAML; SCIM provisioning
- Role-based access with least-privilege defaults
- All administrative actions are themselves audited
- Short-lived credentials; no static shared secrets
Encryption
- TLS 1.2+ for all data in transit
- AES-256 encryption at rest
- Customer-managed keys on enterprise deployments
Incident response
- Documented IR runbooks with named owners
- Customer notification within contractual SLAs
- Post-incident reports shared with affected tenants
Responsible disclosure
Found a vulnerability? We want to know. Report it and we'll respond within two business days.