Trust Center
Security, compliance, and transparency are at the core of everything we do. Learn how we protect your data and maintain the highest standards.
Compliance Certifications
SOC 2 Type I
In Progress
Expected: May 2026
SOC 2 Type II
Observation Window
Started: April 2026
GDPR
Compliant
DPA Available
CCPA
Compliant
Privacy Policy Updated
Security Posture
π Encryption
- β’ TLS 1.3 on all public endpoints
- β’ AES-256 encryption at rest
- β’ GCP KMS for key management
- β’ 90-day key rotation
π‘οΈ Access Control
- β’ SSO via Google Workspace/Okta
- β’ MFA required for all employees
- β’ Quarterly access reviews
- β’ RBAC per workspace
π Compliance
- β’ 12 security policies documented
- β’ Vanta integration for continuous monitoring
- β’ Annual third-party audits
- β’ 7-year audit log retention
π Availability
- β’ 99.9% SLA (enterprise)
- β’ PITR with 35-day retention
- β’ Weekly backups to isolated project
- β’ Monthly restore drills
Documentation
Sub-processors
List of all third-party data processors
Data Processing Agreement
GDPR-compliant DPA template
Privacy Policy
How we collect and handle your data
Status
Live DNS and HTTPS health for the public edge inventory
Terms of Service
Service terms and conditions
Refund Policy
Refund eligibility and request process
Acceptable Use
Rules for scraping, automation, and data collection
Data Deletion
How to request workspace deletion
Data Export
How to request a portable workspace export
Security Whitepaper
Technical security details
Vulnerability Disclosure
Report security issues responsibly
Audit Reports
SOC 2 audit reports are available under NDA. To request access:
- Sign our NDA via HelloSign
- Receive time-limited signed URL
- Download report (valid for 48 hours)
Security FAQ
Where is my data stored?
Customer data is stored in GCP us-central1 (Iowa) by default. Enterprise customers can specify alternative regions.
Who has access to my data?
Access is restricted to authorized personnel with documented need-to-know. All access is logged and audited. SSO + MFA required for all employees.
What happens if there's a data breach?
We notify affected customers within 72 hours per GDPR requirements. Incident response procedures include containment, investigation, and remediation.
Can I delete my data?
Yes, you can request a full data export or permanent deletion via the API or dashboard. Deletion certificates are provided within our 30-day SLA.
Is my data encrypted?
Yes, all data is encrypted in transit (TLS 1.3) and at rest (AES-256). Database encryption uses Cloud SQL CMEK.
Do you use sub-processors?
Yes, we use sub-processors for infrastructure, payments, and AI services. See our sub-processor list for details. We notify customers 30 days in advance of any changes.