Security & data

Your guest data is not our business model.

Every system we build runs in your accounts, under your keys, in your region. We don't resell insights. We don't aggregate across clients. You own every row, every log, every audit trail.

Secure data systems

The four pillars

Security baked into every system we ship.

Pillar 01

PII encryption

  • Field-level encryption for all PII at rest
  • TLS 1.3 everywhere in transit
  • Per-tenant keys, rotated on schedule
  • No PII in logs, ever
Pillar 02

Role-based access

  • Per-field controls for every team member
  • Time-windowed credentials for contractors
  • SSO / SAML on request
  • Short-lived tokens for vendor APIs
Pillar 03

Data sovereignty

  • Your tenant, your cloud, your region
  • No shared multi-tenant storage, ever
  • Export your full dataset at any time
  • Backups encrypted and stored on your retention policy
Pillar 04

Audit logging

  • Every read and write logged with actor
  • Immutable append-only audit store
  • One-click replay of any guest’s timeline
  • Exportable for your compliance team

Compliance posture

We meet your legal team where they are.

We'll sign your DPA, your MSA, your data-handling addendum. For regulated builds we scope the deploy accordingly. Ask us what you need — we'll answer specifically.

GDPR

Data export, right to erasure, DPA on request

CCPA

Honor consumer rights with per-field controls

SOC 2

Working toward Type II — shared on request

HIPAA

Scoped deploys available for regulated builds

Dedicated deploy

Your system runs in your tenant.
Not a shared platform.

Every build ships to an isolated environment you control. Same engineers, same code, different deploy — with your keys, your data, your region. Nothing co-mingled with another client.

Isolated deploy

Your cloud account · your VPC · your network policy

Your keys

KMS, secrets manager, and rotation owned by you

Your region

Pick the region to match your data residency rules

Your database

Postgres or warehouse of choice · full export any time

Security review

Your legal team has questions. We have specific answers.

Share your DPA, your security questionnaire, or your architecture requirements. We respond in hours — not days — with specifics.

Start your projectSee how we work