Trust Center

Our security program is built on defense-in-depth principles. We implement network segmentation, intrusion detection, and 24/7 monitoring across all production systems. Security reviews are mandatory for every code change, and our incident response team maintains a median response time under 15 minutes.

Customer data is encrypted with AES-256 at rest using AWS KMS-managed keys with automatic annual rotation. All network traffic uses TLS 1.3 with modern cipher suites. Database backups are encrypted, and encryption keys are stored in hardware security modules (HSMs) that are FIPS 140-2 Level 3 validated.

Fine-grained role-based access control lets you define exactly who sees what. SSO integration with SAML 2.0 and OIDC providers. SCIM provisioning for automated user lifecycle management. Every access event, data export, and configuration change is logged with immutable audit trails retained for 12 months.

We process data in accordance with GDPR and CCPA requirements. Your data is never used to train AI models. Data processing agreements (DPAs) are available on request. We support data portability, right to deletion, and maintain data residency within your preferred region. Annual privacy impact assessments are conducted by an independent third party.

We engage independent security firms to conduct penetration testing at least annually, covering our application, infrastructure, and APIs. Findings are remediated on a risk-prioritized timeline: critical within 24 hours, high within 7 days. Executive summaries of our most recent assessment are available under NDA.

We maintain a curated list of subprocessors and minimize the number of third parties with access to customer data. All subprocessors undergo security review before onboarding. We provide 30 days advance notice before adding any new subprocessor, giving you time to review and raise concerns.