Quietly serious.

Data residency

Customer data is stored in EU-resident infrastructure by default (Frankfurt, Stockholm). US-resident hosting is available on request. We do not move data between regions without written instruction.

Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Database backups are encrypted with separately-managed keys. Salesforce and ad-platform OAuth tokens are encrypted at the application layer with rotating keys before being persisted.

Authentication

SSO via Google Workspace and Microsoft Entra is available on every engagement. We support enforced 2FA and IP allow-lists for admin actions.

Sub-processors

Our current sub-processor list is available at [link to sub-processor page coming soon]and is updated whenever it changes. Customers receive 30 days' notice of any new sub-processor.

Retention & deletion

Customer data is retained for the duration of the engagement plus a contractual tail. On termination, we delete production data within 30 days and backups within 90 days. Deletion is verified in writing.

Compliance

Soclar is built to meet GDPR requirements as a data processor. SOC 2 Type I is in progress; Type II will follow within 12 months of GA.

Reporting an issue

If you believe you've found a security issue, write to security@soclar.ai. We respond within one business day and operate a 90-day disclosure window.

What this page is, and isn't

This is a summary written for humans. It is not the full operational runbook, the customer DPA, or our annual penetration-test report — those are shared under NDA during procurement.