Security · Updated May 1, 2026

Built for trust at every layer.

Enterprise-grade encryption, controls, and compliance — documented and auditable. Your data and your customers' data are protected by the controls below.

Last updated: May 1, 2026
SOC 2 In Progress ISO 27001 Aligned GDPR Compliant HIPAA-Ready PIPEDA Compliant
On this page

1. Infrastructure

iSada runs on enterprise cloud infrastructure with redundancy across multiple availability zones. Our edge is fronted by Cloudflare for DDoS mitigation, bot management, and WAF protection.

  • Hosting: AWS (US-East and Canada-Central), with full geo-redundant backups.
  • Edge: Cloudflare Enterprise (DDoS, WAF, bot management, rate limiting).
  • Uptime target: 99.9% measured monthly. Status page: status.isada.ai.
  • Backups: Encrypted automated backups with point-in-time recovery, retained 30 days.
  • Network isolation: Private VPCs, security groups, and least-privilege IAM roles for all internal services.

2. Encryption

All customer data is encrypted in transit and at rest using industry-standard cryptography.

  • At rest: AES-256-GCM for databases, object storage, and call recordings.
  • In transit: TLS 1.3 on all public endpoints (HSTS preloaded). Internal service-to-service traffic uses mTLS.
  • Key management: AWS KMS with annual key rotation; envelope encryption for sensitive fields.
  • Secrets: API tokens hashed with bcrypt; OAuth tokens encrypted in the database.

3. Access Controls

Strict safeguards ensure only authorized people and systems can access sensitive data.

  • Role-based access control (RBAC): Customers can configure roles per dashboard user (owner, admin, agent, viewer).
  • Multi-factor authentication (MFA): Required for all iSada staff; available and recommended for all customer admins.
  • Single sign-on (SSO): SAML 2.0 SSO available on Enterprise.
  • Principle of least privilege: Staff access to production is just-in-time, audited, and tied to ticketed work.
  • Audit logs: Every access to sensitive data is logged with user, timestamp, IP, and action.

4. Compliance

We design for and maintain alignment with major regulatory frameworks.

  • SOC 2 Type II — audit in progress, expected report in late 2026.
  • ISO 27001 — framework alignment; controls mapped and operational.
  • GDPR — full compliance for EU/EEA customers, including DPA, SCCs, and data subject rights workflow.
  • PIPEDA — full compliance for Canadian customers.
  • HIPAA-ready — available on Enterprise plans, with executed Business Associate Agreement (BAA). See our HIPAA page.
  • CCPA / CPRA — California consumer privacy rights honored.

5. Incident Response

We operate a documented incident response process with defined severity levels and on-call coverage.

  • 24/7 monitoring with paging for production incidents.
  • 72-hour breach notification to affected customers, in line with GDPR Article 33.
  • Post-incident review for all sev-1 and sev-2 incidents, with remediation tracked to closure.
  • Runbooks reviewed and updated quarterly.
  • Tabletop exercises conducted annually with engineering and leadership.

6. Data Residency

Customer data is stored in the region selected at signup. Available regions:

  • Canada (default for Canadian customers) — AWS ca-central-1.
  • United States — AWS us-east-1.
  • European Union — AWS eu-west-1 (available on request).

Data does not leave the chosen region for primary storage. Encrypted backups may replicate to a paired region for disaster recovery, with the same residency boundary.

7. Vulnerability Disclosure

We welcome reports from the security research community. If you believe you have found a security vulnerability in the iSada platform:

  • Email security@isada.ai with details and reproduction steps.
  • Encrypt sensitive details with our PGP key (available on request).
  • Allow us reasonable time to investigate and remediate before public disclosure.
  • We commit to acknowledging valid reports within 48 hours and triaging in good faith.

We do not currently operate a paid bug bounty, but we publicly acknowledge researchers in our hall of fame with permission.

Questions? Talk to our team.

Security questionnaires, SOC 2 letters, and BAAs — we respond within one business day.

Contact us