Trust Center

1. Data security and encryption #

We protect user data using industry-standard encryption both in transit and at rest. All connections to SankeyArt are secured via TLS 1.2+ with support for TLS 1.3, ensuring that data is encrypted while moving between your browser, Cloudflare's global edge network, and our application servers on Heroku. Weak legacy protocols such as TLS 1.0 and TLS 1.1 are disabled.

At rest, all application data is stored in Heroku Postgres databases and Redis caches, which are encrypted with AES-256 by default. File assets and backups are stored in AWS S3, also encrypted with AES-256. Encryption is always enabled, across all plans, with no opt-in required.

Key management and rotation are handled by our infrastructure providers according to their compliance frameworks (including SOC 2 and ISO 27001). This means encryption keys are securely generated, stored, and rotated without manual intervention.

Together, these measures ensure that sensitive information is protected end-to-end — whether it is being transmitted across the network or stored in our databases and file systems.

2. Identity, access and authentication #

Our platform provides multiple secure ways for users to access their accounts:

• Single Sign-On (SSO): Customers can sign in with their existing Google or Microsoft accounts, inheriting the security protections (including MFA, device checks, and conditional access policies) that those providers enforce.
• Email + password: We support direct sign-in with email and password, safeguarded by strong password quality controls and secure reset procedures.

For flexibility, limited functionality is available without authentication so that new users can quickly test the product before creating an account.

Password protections

• Minimum length of 8 characters, with checks against common or easily guessable values.
• Passwords cannot consist solely of numbers or be too similar to account identifiers.
• All password operations (creation, change, reset) occur over TLS-encrypted channels.
• Reset links are valid for a limited time, ensuring protection against unauthorized use.
• Authentication flows are periodically reviewed against evolving best practices.

At present, native multi-factor authentication (MFA) and enterprise integrations (Okta, SAML, Azure AD) are not yet supported. For the strongest protection, we recommend using Google or Microsoft SSO, which includes MFA and advanced account security features when enabled with your identity provider.

3. Data storage, residency and backups #

All user data is stored in secure cloud infrastructure hosted on Heroku and Amazon Web Services (AWS) in the United States. Both platforms maintain industry certifications such as SOC 2 and ISO 27001, ensuring that physical and logical security standards are met.

To protect against data loss, we maintain automated daily database backups. These backups are encrypted at rest, securely stored within AWS, and retained for 7 days. Backup restorations are tested on a regular basis to verify integrity and recoverability.

Analytics data locations and subprocessors are described in the Data governance and third-party access section.

4. Application and infrastructure security #

We take a layered approach to protecting the platform, combining network-level defenses, secure development practices, and ongoing patch management.

Network and infrastructure controls

• All traffic is routed through Cloudflare, which provides a Web Application Firewall (WAF), bot/attack mitigation, and basic intrusion detection signals.
• The application runs on secure cloud infrastructure with built-in isolation between services and tenants.
• TLS 1.2+ is enforced end-to-end for all services.

Secure development practices

• Input validation and output encoding to prevent injection and XSS.
• Strong authentication and session handling; no plaintext credentials.
• Secrets management via environment variables / vaults; no hard-coded keys.
• Structured logging with filters to avoid sensitive data in logs.
• Peer code reviews before production deploys.
• Practices aligned with the OWASP Top 10.

Patch and dependency management

• Automated dependency scanning runs continuously.
• Security updates are triaged and applied on a weekly cadence; critical issues are addressed promptly.

Architecture and data flow diagrams are available in the Resources section.

5. Monitoring, logging and auditing #

We continuously monitor the health and security of our platform to detect and respond to issues quickly:

• Application monitoring: Automated systems track performance, availability, and reliability.
• Error detection and escalation: Errors are captured in real time, and alerts are routed to our engineering team with defined escalation procedures to ensure prompt resolution.
• Log monitoring: Application and infrastructure logs are aggregated, stored securely, and regularly reviewed for anomalies.

Audit logs (planned)

Customer-facing audit logs, which record user actions within the product, are planned for release by the beginning of 2026. These logs will be exportable and have retention periods in line with the common industry practice.

6. Compliance and certifications #

We are committed to meeting industry standards and regulatory requirements to protect user data and earn your trust.

• GDPR: Our service is designed with GDPR principles in mind, including clear privacy disclosures, lawful bases for processing, encryption in transit and at rest, subprocessors transparency, and processes for honoring user rights (access, deletion, and rectification). While some workflows are handled manually today, we consider the service aligned with GDPR requirements and continue to enhance automation over time.
• ISO 27001: We are actively preparing for ISO 27001 certification, with a target completion by mid-2026.
• Security documentation: This page provides the standard security information most IT and compliance teams request for review. Additional documentation can be shared upon request.
• Breach history and disclosure: We have had no material security incidents to date. In the event of a breach, we will notify affected users promptly in line with legal requirements and best practices.

We do not currently hold a SOC 2 report, but our security controls are modeled against similar criteria.

7. Data governance and third-party access #

We are committed to transparency in how user data is handled and shared.

• Data storage and security: User data is hosted in secure US-based data centers. See Data storage, residency and backups for more details.
• Personal and financial data:
  • Personal data is stored in our database.
  • Financial data (such as payment details) is processed by our payment provider Stripe.
  • Certain personal identifiers (such as first name, last name, email) may be shared with subprocessors that provide analytics, customer communication, or operational services.
• Data retention: Personal data is retained indefinitely unless a deletion request is submitted. Customers may request account deletion by contacting us directly.
• Data deletion: We process deletion requests manually via email. Once confirmed, data is permanently erased from our systems and subprocessors to the extent applicable.

Service providers

We work with carefully selected subprocessors and service providers to deliver our services. Each provider is subject to a Data Processing Agreement (DPA) or equivalent contractual safeguards. Our subprocessors include: