Product security

SSO and 2FA You can sign in via your Google account (optional 2FA via Google). You can also hookup your own authentication system via SAML 2.0 (on the Enterprise plan) and maintain full control.
Passwords Local passwords are stored in an encrypted form using bcrypt according to our policy guidelines.
Authorization Access to your data is safely kept behind your accounts login, only you and those you choose to share your data with can access your data. You can configure multiple roles with your organization.
Uptime We aim for 4 nines of uptime (99.99%), and currently we are above that.
Software security We rotate all our Operating System images, and dependent software on a weekly basis, using the latest distro with updated security patches.
Data retention We take privacy seriously. All data deleted by the customer is either permanently deleted (including backups), or anonymized for privacy protection and GDPR requirements.

Network security

Hosting facility We use Google Cloud Platform for our hosting needs. All data is stored in the U.S. Eastern region.
Redundancy & Backups All data is redundant and backed up by default, with primary and secondary copies stored in multiple regions (U.S. Eastern).
Access and permissions We run a deny all policy for all our applications and data for our staff. Access is granted only to those employees who require access to perform their duties.
Encryption All data is encrypted in transit using TLS 1.2, and at rest with our platform partner, Google Cloud Platform.
Security testing Validately uses an external 3rd party to run annual security and penetration testing on all our applications. Contact us at for more information.
Incident response We monitor for incidents and have an incident and security breach plan in place in the even such situation arises. To date we’ve had no such incidents.

Additional security

Policies We have information security and privacy policies in place. All our staff are required to read and follow the guidelines.
Employee vetting We perform background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.
Confidentiality All employment contracts include a confidentiality clause.
PCI and payment data We leverage for all our payment requirements. Stripe’s security page can be found here.