Trust & compliance
Trust, earned in the open.
Where your project data, screenshots and people records live, how they're encrypted, who we share them with, and how it's independently audited. We're pre-launch — so this page is candid about what's done and what's still on the way to GA.
Independent audit · data processing terms · residency — status below, no badge theater
Assurance
Where each commitment stands
No framed logos for audits we haven't passed. These are our assurance commitments with their real, current status — we'll move the labels as the work closes, not before.
Independent security audit
Controls designed and in place pre-GA; a third-party audit of them runs during private beta. The report is available to customers under NDA once it closes.
Information security program
A documented security program — policies, access controls, risk reviews and vendor management — maintained and tightened as the company grows.
Data Processing Addendum
A DPA is available to every customer, covering processing roles, subprocessors and how data is handled. Read it on the legal pages.
Data-subject requests
Access, export and erasure of personal data are built into the admin surface — one mechanism for every customer, wherever they are.
How your data is protected
The controls under the audit live in code
An audit attests to controls — ours are enforced in architecture, not policy documents alone. The full threat model and how each control works lives on the security page; here's the shape of it.
Privacy & your rights
Your data stays yours
Residency you choose, deletion you control, capture that's anonymized by design, and a hard line against training shared models on your work.
Data residency
EU and US regions at GA; additional regions on enterprise demand. Your tenant lives in the region you choose.
Purge on demand
Workspace owners can delete captured data on demand. Retention is bounded and configurable; purges propagate to backups within the documented window.
Anonymized capture
The work tracker records activity counts and titles — never raw keystrokes, clipboard, file contents, URL paths or the DOM. There is no code path to read them.
No training on your data
We don't train shared models on customer data. Any per-tenant adapters, if introduced, stay isolated to that tenant.
Subprocessors
Who else touches your data
A short, deliberate list — we keep the dependency surface small. The canonical, versioned list ships with the DPA and customers are notified before it changes.
| Provider | Purpose | Region |
|---|---|---|
| Amazon Web Services | Compute, database & encrypted object storage (KMS) | EU / US |
| Stripe | Billing & subscriptions — card data never touches our servers | Global |
| Cloudflare | CDN & edge protection (WAF / DDoS) | Global edge |
Card data is handled entirely by Stripe — SpiralDeck never stores primary account numbers.
Reliability & response
Built to stay up — and to come clean when it doesn't
We're not quoting a contractual uptime SLA before we've earned the operating history to back it. Here's what is true today.
Backups & recovery
Postgres is the source of truth, with point-in-time recovery and tested restores. Retention is bounded and documented per workspace.
Incident response
Severity-tiered response targets — critical issues acknowledged in under 24 hours and fixed in production within 7 days. Affected customers are notified.
Status & SLA at GA
A public status page and a contractual uptime commitment for paid plans land at general availability — not a number we can't yet stand behind.
Documents
Everything in one place
The policies and artifacts a security or procurement team needs to evaluate SpiralDeck.
Security policy
Threat model, isolation design, architecture principles and response SLAs.
Vulnerability disclosure
How to report an issue, safe-harbor terms and our response targets.
Data Processing Addendum
How we process data on your behalf — roles, security measures, subprocessors and deletion.
Security whitepaper
A deeper architecture and controls walkthrough for security reviews.
Do the diligence. We'll make it easy.
Read the security model, request the DPA, or kick off a review — the answers are written down, not improvised on a sales call.