Security and compliance
Built so your security team can say yes.
We handle public signal data on behalf of teams that operate under real compliance obligations. Here is how we keep that trust.
Programs
SOC 2 Type II
Audit underway with a Big Four firm. Type I report expected Q3, Type II twelve months thereafter.
GDPR
Data Processing Addendum on request. Sub-processor list maintained on this page.
CCPA
We honor verified consumer requests within statutory windows. We do not sell personal information.
Controls
Encryption
All customer data is encrypted at rest with AES-256 and in transit with TLS 1.2 or higher. Backups are encrypted with separate keys; key rotation is automated on a 90-day cadence.
Authentication
Email and password with optional TOTP for all plans. SAML 2.0 single sign-on through Okta, Microsoft Entra ID, and Google Workspace on the Enterprise plan. SCIM provisioning available on request.
Authorization
Role-based access control with workspace, project, and dataset scopes. Read, write, and admin roles are configurable per workspace; service accounts use scoped tokens with explicit allowlists.
Audit logging
Every read of customer data and every administrative action is logged with actor, scope, and timestamp. Audit logs are exportable as JSON or shipped to a customer-owned SIEM via webhook.
Tenant isolation
Logical isolation by default with per-workspace encryption keys. Single-tenant deployments and customer-managed keys (CMK) are available on the Enterprise plan.
Vulnerability management
Continuous dependency scanning, weekly container scans, and an annual third-party penetration test. Critical findings are remediated on a 14-day SLA.
Sub-processors
The third parties we rely on to deliver the service. We notify customers at least 30 days before adding a new sub-processor that touches customer data.
| Vendor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Primary compute and storage | United States |
| Cloudflare | Edge delivery and DDoS protection | Global |
| Vercel | Marketing site and dashboard hosting | United States |
| Supabase | Operational database hosting | United States |
| Resend | Transactional email delivery | United States |
| Sentry | Application error monitoring | United States |
| Datadog | Infrastructure observability | United States |
| Stripe | Billing and payment processing | United States |
Reporting a vulnerability
We welcome coordinated disclosure. Email security@signalgrid.com with reproduction steps. We acknowledge within one business day and confirm impact within five.
For procurement-grade documentation (SOC 2, DPA, penetration test summary), use the contact form.
Bring your security questionnaire.
We answer most enterprise security reviews in under 48 hours.