Trust & security

Built for the buyer who has to sign off.

Findola is engineered so the CISO, the General Counsel, and the Chief Data Officer all get to "yes." If a control isn't documented below, ask us — chances are we've already shipped it.

SOC 2 Type II

Annual third-party audit. Report under NDA.

ISO 27001

Certified. ISO 42001 in progress.

HIPAA

BAA available. Healthcare customers in production.

GDPR & EU AI Act

EU data residency. DPA included.

Architecture

Tenant isolation at compute, data, and model layers.

Each customer gets their own logical tenant with per-customer KMS keys. Enterprise customers can run in a dedicated VPC, BYOC into their own AWS / Azure / GCP, or air-gapped on-prem.

Data

Encryption at rest (AES-256) and in transit (TLS 1.3). Per-tenant KMS keys. BYOK on Enterprise.

Identity

SSO (SAML 2.0, OIDC), SCIM 2.0 provisioning, MFA enforced, session management with idle timeouts.

Access

RBAC with per-action permissions. ACLs from source systems honored at query time.

Network

Private VPC, IP allowlisting, AWS PrivateLink option, mTLS to upstream models.

AI safety

Prompt-injection defenses, output validators, tool allowlists, sandboxed execution.

Observability

Immutable audit log, SIEM export (Splunk, Datadog, Sumo), real-time anomaly alerts.

Responsible disclosure

We run a public bug bounty through HackerOne. Critical findings paid within 48 hours. Public hall of fame for first reporters.

security@findola.com · PGP fingerprint A1B2 C3D4 E5F6 …

Sub-processors

A current list is maintained in our Trust Center. Notable: AWS (us-east-1, eu-west-1), Cloudflare (edge), Anthropic + OpenAI (model inference, zero-retention), WorkOS (SSO/SCIM), Stripe (billing).

Request Trust Center access