Trust
Built for buyers whose legal team has to say yes.
Certifications
- SOC 2 Type II — target Q3 2026 (3-month observation window)
- DPDP self-assessment (India) — published on request
- Annual penetration testing — begins post-SOC 2; ISO 27001 work follows
Controls
- Encryption at rest
- AES-256; customer-managed KMS available on Flagship
- Encryption in transit
- TLS 1.2+ everywhere; mTLS for private deployments
- Access
- SSO via SAML/OIDC (Entra, Okta, Google Workspace); role-based at seat level
- Audit
- immutable audit log retaining 13 months of queries and actions
- Residency
- data residency pinnable to ap-south-1 for India compliance
- Isolation
- Flagship deployments keep customer data inside the customer VPC
Subprocessors
- Cloud provider
- compute, storage, managed Postgres
- Edge / CDN
- global edge cache and tunnel
- LLM inference
- contractual data boundaries; no training on customer data
Methodology & corrections
Every published claim is footnoted to a named source. When a signal is wrong, we correct it in place and record the revision — misses stay on the record (see Predict). Methodology summary and the full source ledger are public (Sources).
Incident response
A named DRI owns incidents; affected customers are notified within 4 hours. Reach security at security@retailopedia.app.