Security
SOC2 Ready
Architecture designed to SOC2 Trust Service Criteria. Access control, change management, availability monitoring, and incident response built into the platform.
GDPR and CCPA
Built-in data subject rights tooling: search, export, deletion, and denial with request lifecycle tracking and statutory retention.
Single Sign-On
SAML 2.0 and OIDC with just-in-time provisioning, role mapping, and the option to enforce SSO as the only authentication method.
Encryption
All credentials and sensitive data encrypted at rest with industry-standard symmetric encryption. All communications encrypted in transit via HTTPS.
Audit Logging
Every security-relevant action logged with user attribution, organization context, and timestamps. Exportable for compliance review.
Access Control
Role-based access control with isolated multi-tenancy. Admin and member roles with configurable permission flags per organization.
GDPR and Data Subject Rights
datathere includes purpose-built tooling for responding to data subject access requests. Search across all stored data using configurable terms. Export matched records. Delete with full redaction. Deny with documented reasoning per Article 12.5. Every request is tracked from intake through fulfillment with an immutable audit trail.
- Right of access (Art. 15) and right to erasure (Art. 17)
- Row-level redaction with transactional deletion across database records, S3 objects, and application logs
- Cascade delete across all storage layers including S3 source files and processed outputs
- Full request lifecycle tracking with immutable audit trail
- AI provider data disclosure tracking
Single Sign-On and Authentication
Connect your identity provider via SAML 2.0 or OIDC. New users are provisioned automatically on first login with configurable default roles. Organizations can enforce SSO as the only authentication method, disabling password login entirely. Session lifetimes and domain restrictions are configurable per organization.
- SAML 2.0 and OIDC support
- Just-in-time user provisioning with role mapping
- Enforce SSO-only authentication per organization
- Account lockout and brute-force protection
Audit Logging
Every security-relevant action is recorded with user attribution and organization context. Authentication events, administrative changes, SSO configuration updates, and GDPR requests are all captured. Export logs in CSV or JSON for compliance review, incident investigation, or integration with your SIEM.
- Authentication, admin, SSO, and GDPR event categories
- User attribution on every event
- CSV and JSON export for compliance review
- Per-user activity tracking across all API operations
SOC2 Readiness
Access Control
Role-based permissions, organization-level data isolation, SSO enforcement, and session management.
Change Management
Mapping certification locks configurations before production. Unlocking requires written justification in the audit trail.
Availability
Tiered rate limiting across all endpoints, input validation on every request, and sandboxed execution for user-submitted code.
Confidentiality
Encryption at rest for all credentials and sensitive data. Encryption in transit for all communications. Secure, consistent error handling across all endpoints.
Encryption
All credentials, API keys, webhook secrets, and SSO configuration are encrypted at rest with industry-standard symmetric encryption. All data in transit is encrypted via HTTPS. Sensitive fields are redacted from API responses and log output automatically.
- All credentials encrypted at rest
- HTTPS enforced for all communications
- Secrets excluded from API responses and logs
Multi-Tenancy
Each organization operates in isolation. Sources, destinations, mappings, and execution history are scoped per tenant at the data layer. Role-based access control governs what each user can do within their organization. User-submitted transformation code runs in isolated sandboxes.
- Complete data isolation per organization
- Role-based access control within each tenant
- Sandboxed execution for user-submitted code