Security & Trust
This page tells you exactly where we are on security and compliance. No badges, no certifications we do not hold, no aspirational claims dressed up as current capabilities.
Where we are today
Digitlify is an early-access startup. We are not currently certified under SOC 2, HIPAA, ISO 27001, or similar frameworks.
Our security program is actively under development. We build with industry-standard practices and we intend to pursue formal audits as we grow, but today we are pre-certification. If your procurement process requires a signed attestation from one of those frameworks, we are not yet a fit — and we would rather tell you that up front than ship you a fake badge.
If you have specific security questions, questions about our posture, or an early-access due-diligence request, email [email protected].
Principles we follow
These are practices we actually implement today, not things we plan to implement later. If we have not shipped it, it is not on this list.
Encryption in transit
All traffic served over TLS 1.2 or higher. Modern cipher suites only. HSTS enabled at the edge.
Encryption at rest
Customer data and credentials encrypted at rest with AES-256 at the storage layer.
Least-privilege access
Internal access to production is gated by MFA and limited to named on-call engineers. Access is reviewed monthly during early access.
Tenant isolation by plan
Each workspace is isolated at the database schema and runtime level. Dedicated namespaces on higher tiers.
Audit logging
Every agent action, approval decision, and admin change is captured in an immutable audit log.
HITL gates for destructive actions
High-risk actions flow through configurable human-in-the-loop approval gates before execution. See our governance model for details.
Dependency scanning
Production dependencies are scanned for known CVEs on every build. Critical vulnerabilities are patched within our published cadence.
Backups
Daily encrypted backups of customer data with tested restore procedures. Retention per plan tier.
What we are building toward
Each item below is either in progress, planned, or gated on customer demand. Nothing here is a current offering.
SOC 2 Type I audit
Auditor not yet engaged. Target: post-GA, 2026 H2. Control framework is being designed and will be finalized before the audit kickoff.
SOC 2 Type II attestation
Follows Type I. Minimum 6-month observation window required after Type I completion.
GDPR data-processing controls
We offer a standard DPA on request today. Formal controls implementation targeted post-GA. EU data residency is on the roadmap.
HIPAA readiness
Will be pursued when we onboard a customer with a qualified use case. BAA template under review with counsel.
ISO 27001
Will follow SOC 2 Type II if customer demand warrants it.
Penetration test
First third-party pen test planned before our first enterprise customer goes live.
How we handle your data
The short version of our Privacy Policy and Data Processing Agreement.
Do you train models on my data?
No. Customer data is not used to train global models without an explicit opt-in feature, and that feature is not shipped.
Who can see my data inside Digitlify?
A small on-call engineering team with named, MFA-gated access. Production access is audited and reviewed monthly.
Where is my data stored?
EU by default. US residency available for early-access customers on request. Data does not leave the contracted region without explicit consent.
What happens if I cancel?
You can export your data before cancellation. After cancellation, data is retained for 30 days per the Privacy Policy, then deleted.
Do you have a Data Processing Agreement?
Yes. See /dpa. Sign-off for enterprise customers is handled during onboarding.
Do you sub-process my data with third parties?
Yes, for infrastructure and services we do not run ourselves. The current sub-processor list is maintained at /subprocessors.
Responsible disclosure
If you believe you have found a security vulnerability in Digitlify, please report it to us before disclosing publicly. We will acknowledge your report within one business day and keep you updated as we triage and fix.
Email: [email protected]
Policy: Vulnerability Disclosure Policy
We do not currently run a bug bounty. We will credit researchers who follow responsible disclosure (with your permission) in our public changelog.
Enterprise due diligence?
If you are in procurement and need to understand our security posture in more detail, talk to us. We will tell you exactly where we are and where we are going. No surprises.