Security & trust
Every claim below links to evidence — a certificate, a policy, a subprocessor, or a date. If it's not here, we either haven't done it yet (and we'll tell you when) or it's not a claim we're willing to make.
Attestation
SOC 2 Type II
Renewed Jan 2025 · Schellman
Privacy
HIPAA + GDPR
BAA available · DPA on request
Residency
EU · UK · US
Customer-selected at signup
Last pen test
Feb 2025
Cure53 · report on request
Eight commitments — with the evidence attached.
All customer data is encrypted in transit (TLS 1.3) and at rest (AES-256).
Backed by AWS KMS with per-tenant keys. Link to our key-rotation policy.
We are SOC 2 Type II (Security, Availability, Confidentiality).
Latest report dated Jan 2025 by Schellman. Download under NDA from our trust centre.
You choose where your data lives: EU, UK, or US.
Set at signup. Immutable after first ingest. Cross-region transfers are disabled by default.
SSO (SAML 2.0), SCIM provisioning, and fine-grained RBAC on Team plans.
Tested with Okta, Entra ID, Google Workspace, Rippling. Emergency break-glass is logged.
No customer data is used to train third-party LLMs.
The root-cause agent runs on a private inference endpoint. See our AI data handling policy.
Sensitive fields are redacted before ingest.
PII / PHI / secret patterns filtered client-side. Redaction rules are configurable per-service.
We are not yet FedRAMP-authorised.
On the roadmap for 2026 H2. If you need this now, we'd rather say so than pretend otherwise.
We don't offer customer-managed encryption keys (CMEK) on standard plans.
Available only on a bespoke single-tenant deployment. Talk to us if that's a hard requirement.
What's included where.
Who we trust with your data — and for what.
You can subscribe to a webhook that fires on any subprocessor change, 30 days before it takes effect. We've never silently added one and we don't plan to start.
Amazon Web Services
US · EU · UK
Primary infrastructure — compute, object storage, KMS.
Cloudflare
Global edge
DDoS protection, TLS termination, bot mitigation.
Datadog
US-EU-1
Our own internal observability. No customer data ingested.
Anthropic
Private endpoint
Root-cause agent inference. Zero-retention endpoint; no training.
Stripe
US
Billing and subscription management. PCI DSS Level 1.
HubSpot
US-EU
Sales & marketing CRM. Contains contact data only.
Slack
Customer-controlled
Incident channel integration. No data stored at Slack by us.
GitHub
US
Source control integration. Read-only access to selected repos.
Sendgrid
US-EU
Transactional email — account and security notifications.
Report a vulnerability
Responsible disclosure, no lawyers involved.
If you think you've found something, email security@greenslope.io or open a report on our HackerOne programme. We respond within 24 hours, fix high-severity issues within 7 days, and credit you publicly if you'd like.