Security and compliance
Audit-grade controls built into the platform.
Designed to pass external review in regulated industries without retrofitting. Controls are first-class, not bolt-on.
Posture
SOC 2 Type II audit is in progress. Certifications listed are honest as of today.
Audit log
Tamper-evident. Verifiable by your auditors.
Every state change, every permission decision, every authentication event, every admin action, and every data export is captured. Append-only.
- Coverage
- Every action that mutates data or accesses sensitive resources is recorded with the acting user, the time, and the result.
- Integrity
- Each entry is cryptographically linked to the one before it. Any tampering breaks the chain and is detected on verification.
- Independence
- Your auditors verify the chain without needing access to our systems. The verification procedure is standard and documented.
- Export
- Download the audit trail for any date range in CSV or JSON. Standard compliance tools ingest it directly.
- Retention
- Seven years by default; configurable per organization. Hard deletion requires multi-step approval and is itself audited.
Audit log
Tenant: ACME-INDIA- 08:01:14Chain verified
A. Patel performed lead.create
lead/0193 fa12
- 08:01:14Chain verified
system performed workflow.assign
lead/0193 fa12
- 09:22:46Chain verified
M. Chen performed note.add
lead/0193 fa12
- 09:55:02Chain verified
M. Chen performed lead.state.update
NEW -> CONTACTED
- 10:14:11Verifying
system performed audit.export
range 30d
Each entry is linked to the previous one. Tampering breaks the chain and is detected on verification.
Data protection
Encryption at rest and in transit.
Sensitive personal data is encrypted at the column level inside the database. The rest of the platform is encrypted at the disk and network layers. Keys are managed by a dedicated key management service with annual rotation.
- At rest
- AES-256 column-level encryption for personal data. Full-disk encryption everywhere else.
- In transit
- Modern TLS only. HSTS enforced.
- Key management
- KMS-managed. Annual rotation. Production keys never live in code or environment files.
- Secrets
- OAuth tokens, connector credentials, and channel configurations are encrypted before they touch the database.
- Data residency
- Single-region deployment by default. Multi-region available for customers with residency requirements.
Identity
Enterprise sign-in. Strong second factors.
Bring your identity provider. Enforce multi-factor authentication organization-wide. Step-up authentication required before destructive actions.
- Single sign-on
- SAML 2.0 and OIDC. Google Workspace, Microsoft Entra ID, Okta, Auth0, and any standards-compliant identity provider.
- Multi-factor
- Authenticator apps and hardware security keys. SMS as the only second factor is not permitted.
- Sessions
- Short-lived. Visible per device in a self-service settings page; revocable instantly.
- Network controls
- IP allowlists per organization and per role.
- Lockout
- Automated lockout and challenge after repeated failed sign-in attempts.
- Step-up
- Destructive admin actions require a fresh authentication factor.
Built for organizations that run sales across markets.
Talk to us about your deployment, your access model, your sources. We will follow up within one business day.