SecureSlateSecureSlate
Log inGet started for free

Security

Last updated:

At SecureSlate, security is at the core of everything we build. This page provides transparency into our security practices, certifications, and infrastructure to help enterprise customers and prospects understand our security posture during vendor reviews.

Certifications and third-party assessments

SOC 2 Type II

SecureSlate is SOC 2 Type II certified, demonstrating our commitment to maintaining robust security controls for availability, confidentiality, and data integrity. Our SOC 2 audit covers our platform infrastructure, data handling practices, and operational procedures.

To request a copy of our SOC 2 Type II report, please visit our Trust Center or contact your account manager. We require a signed NDA for report access.

ISO 27001

We maintain ISO 27001 certification for our information security management system (ISMS). This internationally recognized standard validates our systematic approach to managing sensitive company and customer information.

Additional compliance

SecureSlate supports compliance with HIPAA, GDPR, PCI DSS, and other major frameworks. Our platform is designed with compliance requirements built-in, helping our customers meet their regulatory obligations.

Infrastructure security

Cloud infrastructure

SecureSlate is hosted on Google Cloud Platform (GCP), benefiting from enterprise-grade infrastructure with robust physical security, network isolation, and redundancy. Our infrastructure is distributed across multiple regions to ensure high availability and disaster recovery capabilities.

Least-privilege access

We enforce least-privilege access controls across all systems. Team members are granted access only to the resources necessary for their specific roles. Access requests are reviewed and approved by managers, with regular access reviews conducted quarterly.

Multi-factor authentication

MFA is enforced for all production systems, administrative consoles, and critical infrastructure. We use hardware security keys and authenticator apps for strong authentication. Privileged access requires additional verification steps.

Network security

Our network is protected by Cloudflare, providing DDoS protection, WAF (Web Application Firewall), and bot management. All traffic is encrypted in transit using TLS 1.3. We employ network segmentation and VPC isolation to limit blast radius.

AI and data handling

How we use AI

SecureSlate leverages AI to enhance compliance workflows, automate document analysis, and provide intelligent recommendations. When AI features are used, customer data may be processed by our AI subprocessor (OpenAI) solely for the purpose of providing the requested service.

Data retention for AI processing

We have a zero data retention agreement with our AI providers. Customer data processed for AI features is not retained by the AI provider after the request is completed. SecureSlate does not use customer data to train AI models without explicit consent.

Customer control

Customers have control over which features use AI processing. AI-powered features can be disabled at the organization level, and customers can choose to use manual workflows instead.

Data isolation and multi-tenancy

Tenant isolation

SecureSlate employs logical tenant isolation to ensure customer data is strictly separated. Each customer's data is tagged and filtered at the application layer, with database-level row-level security (RLS) policies enforcing access boundaries.

Encryption at rest

All customer data is encrypted at rest using AES-256 encryption. Encryption keys are managed through Google Cloud's Key Management Service (KMS) with regular key rotation. Database backups are also encrypted.

Encryption in transit

All data in transit is encrypted using TLS 1.2 or higher. We enforce HSTS (HTTP Strict Transport Security) and use certificate pinning where applicable. Internal service-to-service communication is also encrypted using mutual TLS (mTLS).

Access controls

Internal access management

Access to production systems is strictly limited to authorized personnel who require it for their job functions. We maintain comprehensive audit logs of all access to production data and systems.

Single Sign-On (SSO)

SecureSlate supports SAML 2.0 and OIDC-based SSO for customer authentication. Enterprise customers can enforce SSO to ensure consistent authentication policies across their organization.

Team security practices

All SecureSlate team members undergo security awareness training upon onboarding and annually thereafter. We enforce strong password policies, device encryption, and screen lock requirements for all company devices.

Account deletion

Requesting data deletion

Customers can request deletion of their account and all associated data by contacting support@getsecureslate.com or through their account settings. Data deletion requests are processed in accordance with our data retention policies and applicable legal requirements.

Deletion SLA

We complete data deletion within 30 days of receiving a verified request. This includes:

  • Active database records
  • Cached data and CDN content
  • Log data (within retention limits required for security and compliance)
  • Backup data (as backups rotate, typically within 90 days)

Some data may be retained longer if required by law or for legitimate business purposes such as fraud prevention, security investigations, or compliance with legal obligations.

Vulnerability disclosures

Security contact

If you believe you've discovered a security vulnerability in SecureSlate, please report it to us at security@getsecureslate.com. We encourage responsible disclosure and will work with you to address any confirmed issues.

Response commitment

We commit to acknowledging vulnerability reports within 2 business days. Our security team will assess reported issues and provide updates on our investigation and remediation progress. We strive to resolve critical vulnerabilities within 30 days.

Bug bounty program

SecureSlate does not currently operate a public bug bounty program. We appreciate responsible disclosure from security researchers and will recognize their contributions where appropriate.

Safe harbor

We support safe harbor for security researchers who:

  • Make good faith efforts to avoid privacy violations and service disruptions
  • Do not access, modify, or delete data belonging to others
  • Provide sufficient information to reproduce and verify the vulnerability
  • Do not publicly disclose vulnerabilities before we've had reasonable time to address them

We will not take legal action against researchers who follow these guidelines.

For additional security information or to request documentation, please contact us at security@getsecureslate.com.