// security
security & compliance.
Procurement officers read this page first. So we wrote it for them — not for marketing.
SOC 2 Type II — audit complete Q1 2026
attestations
- ✓SOC 2 Type II — SOC 2 Type II — audit complete, report available under MNDA. Report shared under MNDA on request.
- ✓Annual penetration test — by an independent third-party security firm. Summary available under MNDA.
- ✓CSA STAR Level 1 — self-assessment published in CSA STAR registry.
- →ISO 27001 — in progress, target Q4 2026.
data & encryption
- data residency
- US (default) and EU regions. Data does not leave the chosen region.
- encryption
- TLS 1.3 in transit; AES-256 at rest. Customer-managed keys (CMK) on Enterprise plan.
- retention
- Standard 7-day audit log; 90-day on Enterprise. Customer can purge their data via API or in-app at any time. We do not retain after a team is deleted.
- backups
- Daily encrypted backups in the same region as production. 30-day retention. Quarterly restore tests.
access control
- ✓SSO via SAML 2.0 (Okta, Azure AD, Google Workspace) — Enterprise plan
- ✓SCIM 2.0 user provisioning + deprovisioning — Enterprise plan
- ✓Role-based access — admin, member, read-only
- ✓Per-team workspace isolation — no cross-tenant queries possible at the database layer
subprocessors
We use the following subprocessors. Customers receive 30 days notice of any addition or change.
| vendor | purpose | data |
|---|---|---|
| Cloudflare | Edge + CDN + DDoS | request metadata only |
| Stripe | Billing | payment + admin email |
| Postmark | Transactional email | recipient email + body |
| AssemblyAI | Transcription | audio (deleted after transcribe) |
disclosure
Found a security issue? Email security@foldspace.upstate-web.com with a description, steps to reproduce, and your name + role. PGP key on the contact page.
We respond to all reports within 24 hours. Bounty program for unique high-impact findings — see /security/bounty.