Customer data,
audit-friendly by default.
What we encrypt, who can access it, which vendors we use, and how we respond when something goes wrong. No marketing-asterisk.
Six controls we always have on.
No "best efforts." These run in production every day, are tested quarterly, and are documented in the evidence pack we ship under NDA.
TLS 1.2+ in transit. AES-256 at rest. Customer secrets stored in Azure Key Vault with HSM-backed keys.
SSO + MFA required for all production systems. Role-based, least-privilege defaults. Access reviewed quarterly.
Every data-access event logged with actor, action, resource, timestamp. 90-day minimum retention; longer on enterprise plans.
Private VPCs with no public ingress to data-plane services. Bastion-only SSH, broker-only DB access.
Encrypted, region-redundant, point-in-time recovery to 7 days. Tested quarterly via restore drills.
Independent third-party penetration test annually. Findings + remediation summaries available under NDA.
The vendor list. Fully public.
Customers are notified of new sub-processors 30 days in advance and may object. The current authoritative list is below.
Where we stand on the standards.
Honest about what we have, what we're working on, and what we don't support. No "compliance theater".
Audit underway · Q3 2026 target
DPA + SCCs available
Privacy rights honored within 30d
PHI not supported on standard plans
Targeted post-SOC 2
No card data handled directly
Suspect a vulnerability? Email security@unioneleven.ai — encrypted via PGP key on request. We acknowledge inside 24 hours.
Stop publishing.
Start compounding.
See the system on your own data. Bring a campaign or a quarter of CRM — we'll show you the brief, the assets, the test plan, and what the loop would ship in week one in 30 minutes.