How we keep your data safe.

Posture

• GDPR / CCPA — compliant; DPA available on request for paid plans
• Encryption — at rest and in transit
• Access — least-privilege, audit-logged

Encryption

All data is encrypted in transit with TLS 1.3 and at rest with AES-256. Encryption keys rotate every 90 days. Customer data is logically isolated per workspace.

Access controls

• SSO via SAML, Google, and Microsoft (Scale plans)
• SCIM provisioning
• Role-based access control with audit logs
• Hardware security keys required for engineering staff with production access

Incident response

24-hour notification SLA for any incident affecting your data. Public post-mortems for incidents lasting more than 60 minutes.

For full vendor-review packages, see /compliance. Vulnerability disclosure: security@pondral.com.