DataFoundry is built for teams in regulated industries — medical imaging, surgical robotics, autonomous vehicles. Security and data integrity are foundational requirements, not add-ons.
All data is transmitted over TLS 1.2+. Data at rest is encrypted. API keys for annotation tool integrations are encrypted with AES-256 before storage — plaintext keys are never persisted.
Every create, update, and delete operation across the platform is logged to an immutable audit trail with timestamp, actor, and full before/after state. Required for regulatory compliance and available for export at any time.
All data is scoped by organization ID at the database level. Every query enforces org isolation — it is architecturally impossible to access another tenant's data.
Four roles (OWNER, ADMIN, MANAGER, VIEWER) control who can read, create, update, or delete resources. VIEWER is strictly read-only. All mutations require role verification server-side.
We use Sentry to detect and alert on application errors in real time. Security-relevant errors trigger immediate investigation. No sensitive user data is included in error payloads.
Inbound webhooks from annotation tools are authenticated via HMAC signature verification. Requests with invalid or missing signatures are rejected with a 401 before processing.
SOC 2 Type I: In progress. Contact us for our current security posture documentation.
Data Processing Agreement (DPA): Available for all customers. Required for EU-regulated customers under GDPR. Request DPA →
GDPR: DataFoundry can operate as a data processor under GDPR. See our Privacy Policy and DPA for details.
Penetration testing: Regular internal security reviews. Third-party pen test planned for H2 2026.
If you discover a security vulnerability, please report it responsibly to team@datafoundry.app with the subject line "Security Vulnerability Report". We will acknowledge receipt within 48 hours and work with you to resolve the issue.