Skip to main content
GreenSlope

Security & trust

Every claim below links to evidence — a certificate, a policy, a subprocessor, or a date. If it's not here, we either haven't done it yet (and we'll tell you when) or it's not a claim we're willing to make.

Attestation

SOC 2 Type II

Renewed Jan 2025 · Schellman

Privacy

HIPAA + GDPR

BAA available · DPA on request

Residency

EU · UK · US

Customer-selected at signup

Last pen test

Feb 2025

Cure53 · report on request

§ 01What we promise, in plain English
One page, no PDFs

Eight commitments — with the evidence attached.

All customer data is encrypted in transit (TLS 1.3) and at rest (AES-256).

Backed by AWS KMS with per-tenant keys. Link to our key-rotation policy.

Verified

We are SOC 2 Type II (Security, Availability, Confidentiality).

Latest report dated Jan 2025 by Schellman. Download under NDA from our trust centre.

Renewed 2025

You choose where your data lives: EU, UK, or US.

Set at signup. Immutable after first ingest. Cross-region transfers are disabled by default.

Self-serve

SSO (SAML 2.0), SCIM provisioning, and fine-grained RBAC on Team plans.

Tested with Okta, Entra ID, Google Workspace, Rippling. Emergency break-glass is logged.

Available

No customer data is used to train third-party LLMs.

The root-cause agent runs on a private inference endpoint. See our AI data handling policy.

Policy v2.1

Sensitive fields are redacted before ingest.

PII / PHI / secret patterns filtered client-side. Redaction rules are configurable per-service.

Client-side

We are not yet FedRAMP-authorised.

On the roadmap for 2026 H2. If you need this now, we'd rather say so than pretend otherwise.

Planned 2026

We don't offer customer-managed encryption keys (CMEK) on standard plans.

Available only on a bespoke single-tenant deployment. Talk to us if that's a hard requirement.

Enterprise only
§ 02Security controls by plan
Matrix view

What's included where.

Control
Starter
Team
Enterprise
2FA (TOTP + WebAuthn)
Included
Required
Required
SSO (SAML 2.0)
Included
Included
SCIM user provisioning
Included
Included
Audit log export (API)
90 days
1 year
Data residency choice
US only
EU / UK / US
EU / UK / US
Customer-managed keys (CMEK)
Included
IP allowlist / VPC peering
Allowlist only
Both
Uptime SLA
99.9%
99.95%
99.99%
Signed DPA & BAA
Standard DPA
Both
Both, negotiable
§ 03Subprocessors
Updated monthly

Who we trust with your data — and for what.

You can subscribe to a webhook that fires on any subprocessor change, 30 days before it takes effect. We've never silently added one and we don't plan to start.

Amazon Web Services

US · EU · UK

Primary infrastructure — compute, object storage, KMS.

Cloudflare

Global edge

DDoS protection, TLS termination, bot mitigation.

Datadog

US-EU-1

Our own internal observability. No customer data ingested.

Anthropic

Private endpoint

Root-cause agent inference. Zero-retention endpoint; no training.

Stripe

US

Billing and subscription management. PCI DSS Level 1.

HubSpot

US-EU

Sales & marketing CRM. Contains contact data only.

Slack

Customer-controlled

Incident channel integration. No data stored at Slack by us.

GitHub

US

Source control integration. Read-only access to selected repos.

Sendgrid

US-EU

Transactional email — account and security notifications.

Report a vulnerability

Responsible disclosure, no lawyers involved.

If you think you've found something, email security@greenslope.io or open a report on our HackerOne programme. We respond within 24 hours, fix high-severity issues within 7 days, and credit you publicly if you'd like.