Security & Compliance

Enterprise-grade security.
By design.

Financial data, lease terms, tenant PII, and investor information live on the Digital Grid. We treat that responsibility seriously — with third-party certifications, field-level encryption, and multi-tenant isolation that your security team can verify.

SOC 2 Type IIISO 27001GDPRCCPAAES-256TLS 1.399.9% SLA

Certifications

Standards your security team knows.

SOC 2 Type II

Security & Availability

Annual third-party audit of security, availability, and confidentiality controls across all production systems.

ISO 27001

Information Security

International standard for information security management systems. Certified across all HqO engineering and operational functions.

GDPR

Data Privacy

Full compliance with EU General Data Protection Regulation. DPA available. EU data residency option in Frankfurt.

CCPA

Consumer Privacy

Compliant with California Consumer Privacy Act. Data subject rights workflows and deletion pipelines available.

HIPAA-Ready

Healthcare Adjacent

BAA available for customers with healthcare tenants. PHI handling controls implemented per HIPAA guidelines.

FedRAMP (In Progress)

Federal

FedRAMP Authorization in progress for government-adjacent portfolios. Expected authorization Q3 2026.

Data Architecture

Encrypted everywhere. Isolated always.

Encryption at Rest

AES-256

All data stored on the Digital Grid is encrypted at rest using AES-256 encryption. Database-level encryption with tenant-isolated encryption keys.

AES-256 for all stored data
Per-tenant key management
AWS KMS for key custody
Annual key rotation

Encryption in Transit

TLS 1.3

All data in transit is encrypted using TLS 1.3. HTTP Strict Transport Security enforced. Certificate pinning on mobile clients.

TLS 1.3 minimum on all connections
HSTS with preload
Certificate pinning (iOS/Android)
No TLS 1.0/1.1 support

Field-Level Encryption

Financial Data

Sensitive financial fields — bank account numbers, tax IDs, social security numbers — are encrypted at the field level with separate key hierarchies.

Separate key hierarchy for PII
Field-level encryption for financial data
Masked display in UI
API access controls per field

Multi-Tenant Isolation

Hard Partition

Every organization on the Digital Grid is isolated at the database level. No shared tables. No data leakage paths. Validated by third-party penetration tests.

Hard database-level tenant isolation
Zero shared tables across tenants
Annual penetration testing
Cross-tenant query prevention

Access Control

Who can access what. Fully configured.

RBAC (Role-Based Access Control)

Granular roles down to individual object types and fields. Custom roles supported.

SSO / SAML 2.0

Integrate with Okta, Azure AD, Google Workspace, and any SAML 2.0 provider.

OIDC / OAuth 2.0

Standards-based identity federation for developer and API access workflows.

MFA (Multi-Factor Authentication)

Required for all admin roles. Enforced via authenticator app or hardware key.

IP Allowlisting

Restrict API and dashboard access to approved IP ranges by organization.

Audit Logs

Every read, write, and admin action is logged with timestamp, user, and IP. Immutable. Exportable.

Session Management

Configurable session timeouts, forced logouts, and concurrent session limits.

API Key Scoping

API keys carry permission scopes down to individual object types and verbs (read/write/admin).

Infrastructure

Multi-region. Always on.

Cloud
AWS (us-east-1, us-west-2, eu-west-1)
Uptime SLA
99.9% guaranteed
RTO
< 4 hours
RPO
< 1 hour
Backups
Hourly snapshots, 30-day retention
DDoS Protection
AWS Shield Advanced
CDN
CloudFront (global edge)
Monitoring
24/7 SOC + automated alerting

Bug Bounty

Responsible disclosure.

We run a private bug bounty program for security researchers. Scope covers all production Digital Grid endpoints, the HqO web app, and mobile clients. We respond to all valid reports within 48 hours.

CriticalUp to $15,000
HighUp to $5,000
MediumUp to $1,500
Low$250 + swag
Report a vulnerability

Trust Center

Access our security documentation, current SOC 2 report, penetration test summaries, and sub-processor list — all available under NDA for prospective enterprise customers.

SOC 2 Type II report (latest)
Penetration test summary
Sub-processor list
Data processing addendum (DPA)
Business associate agreement (BAA)
Security questionnaire (SIG Lite)
Request access to Trust Center

Questions about security?

Our security team is available to answer questionnaires, conduct technical reviews, and review certifications with your infosec team.

Contact security team Get access