Security & compliance posture

Built for your CISO and legal team, not just your CMO.

ExperientialOS is the experiential data layer for global brands — so by definition it has to clear the bar your security and compliance teams set for any system touching customer PII. Every system we ship runs in your accounts, under your keys, in your region.

Secure data systems

The four pillars

Security and governance baked into every deployment.

Pillar 01

PII encryption & minimization

  • Field-level encryption for all PII at rest
  • TLS 1.3 everywhere in transit
  • Per-tenant keys, rotated on schedule
  • Minimum-necessary capture defaults — no fields collected unless they earn their place
  • Zero PII in application logs
Pillar 02

Vendor & staff access control

  • Role-scoped access for every agency, contractor, and freelancer
  • Time-windowed credentials for tour staff and short-term roles
  • SSO / SAML for brand-side users on request
  • Short-lived tokens for vendor and partner APIs
  • Revoke in clicks the moment someone rolls off the program
Pillar 03

Data sovereignty & retention

  • Your tenant, your cloud, your region — never shared multi-tenant storage
  • Documented retention schedules enforced by tooling
  • Automatic purge of expired data per data class
  • Full export of your dataset at any time, in clean schemas
  • Backups encrypted and held under your retention rules
Pillar 04

Audit logging & subject access

  • Every read and write logged with actor, timestamp, and context
  • Immutable append-only audit store
  • Subject-access, export, and deletion in a single console — across every event
  • Consent receipts archived against the guest record
  • Exportable evidence for legal, compliance, and security reviews

Compliance posture

We meet your legal team where they are.

We sign DPAs, MSAs, and data-handling addenda. We answer formal security questionnaires. For regulated builds, the deploy is scoped accordingly. Tell us what your team needs and we'll respond specifically.

GDPR

Data export, right-to-erasure, and DPA on request

CCPA / CPRA

Per-field controls and rights workflows built in

BIPA & state biometric

Documented handling for photo and facial data

SOC 2 Type II via Risetime

Optional certified hosting through our compliance partner

Photo & biometric handling

The data class most experiential programs get wrong.

Photo and facial data carries elevated regulatory risk in Illinois (BIPA), Texas (CUBI), Washington, the EU, and a growing list of jurisdictions. Most experiential programs cannot answer where this data lives, when it expires, or what was consented to. We can.

  • Documented capture, storage, and retention policy per program
  • Per-jurisdiction consent language for Illinois, Texas, Washington, and EU
  • Automatic purge schedules tied to the consent receipt
  • Audit trail for every download, share, or delivery of photo media
Brand activation photo capture
Certified hosting partner

SOC 2 Type II hosting, through the people who do this for a living.

ExperientialOS is not directly SOC 2 Type II certified — because compliance hosting isn't our craft, experiential data is. So we partnered with Risetime, a SOC 2 Type II certified hosting and compliance specialist whose entire business is keeping platforms like ours audit-ready.

For brands that need formal certification documentation, we deploy your tenant on Risetime's infrastructure for an additional hosting fee — same software, same governance layer, with a clean SOC 2 Type II attestation trail your CISO can hand straight to procurement.

Your data is just as safe either way. The Risetime path is for the moments when legal, security, or procurement need the extra paper trail — and you want a partner whose full-time job is keeping that paper trail clean.

Visit RisetimeAsk us about adding SOC 2 Type II hosting to your scope.

SOC 2 Type II attestation

Inherited from Risetime's certified infrastructure — clean attestation trail for legal and procurement reviews.

Compliance as core competency

Risetime exists to keep client environments audit-ready. They live in this; we live in experiential.

Same software, certified host

Same ExperientialOS governance layer, deployed onto Risetime's certified hosting tier as an add-on.

Dedicated deploy

Your system runs in your tenant.
Not a shared platform.

Every brand ships to an isolated environment they control. Same code, different deploy — with your keys, your data, your region. Nothing co-mingled with another client's guest data, ever.

Isolated deploy

Your cloud account · your VPC · your network policy

Your keys

KMS, secrets manager, and rotation owned by you

Your region

Pick the region to match your data-residency rules

Your database

Postgres or warehouse of choice · full export any time

Security review

Your legal and security teams have questions. We have specific answers.

Send your DPA, your security questionnaire, or your architecture requirements. We respond in hours — not days — with specifics, not platitudes.

Start your projectSee how we work