Encryption everywhere
TLS 1.3 in transit. AES-256-GCM at rest for events, replays, attachments, and config payloads. Per-project encryption keys, rotatable.
Identity & access
SSO (SAML 2.0, OIDC) on Growth and Enterprise. RBAC at the project, team, and resource level. Audit log of every read and write, export to S3 on Enterprise.
Data residency
Cloud tenants pin data to EU, US, or AF regions on signup. Enterprise tenants can run air-gapped on their own infrastructure, with the same binary.
Secret handling
API keys are scoped per environment and never logged. Server-side keys live behind your own KMS; we don't see them. Replay PII is masked at capture, not in storage.
GDPR-ready operations
Right-to-access, right-to-erasure, and portability endpoints on the engine API. DPAs available on Pro and above. Sub-processor list published and versioned.
Responsible disclosure
[email protected] for vulnerability reports. We acknowledge within 24 hours and ship a fix or mitigation per severity. No bounties yet — credit instead.