Security you can verify.
Not just claim.

Encryption, access controls, audit logs, and transparent subprocessor list. Everything your security team needs to review.

Security Features

Built secure from day one.

Encryption at rest and in transit

All data encrypted using AES-256. TLS 1.3 for all connections. Keys managed via AWS KMS with automatic rotation.

In Progress

SOC 2 Type II

Audit in progress. Expected completion Q3 2026. Current controls meet SOC 2 requirements; formal report pending.

Access controls and audit logging

Role-based access control (RBAC) for all accounts. Every action logged with actor, timestamp, IP, and resource.

Infrastructure security

Hosted on AWS in US-EAST-1. Isolated VPCs, private subnets, security groups. Regular penetration testing.

Data retention and deletion

Soft delete (30 days), hard delete (90 days). Customer data removed within 30 days of account closure. Audit logs retained 1 year.

Compliance frameworks

GDPR-compliant data processing. CCPA data subject rights honored. DPA available for enterprise customers.

Subprocessors

Where your data goes.
No surprises.

Vendor
Purpose
Region
Amazon Web Services
Infrastructure hosting
United States
Stripe
Payment processing
United States
Anthropic
AI inference (Claude)
United States
Resend
Transactional email
United States
Clerk
Authentication
United States

Material changes to this list are communicated to active customers at least 30 days before taking effect. Last updated: May 2026.

An Honest Note

On SOC 2 and certifications

Growth Terminal is currently undergoing SOC 2 Type II audit. Expected completion: Q3 2026.

We built the system to SOC 2 requirements from day one: encryption, access controls, audit logs, change management, incident response. The controls are live. The formal report is pending.

If your procurement requires an active SOC 2 report before contract signature, we can share our audit timeline and current control documentation. Reach out below.

Questions about security?

Request our security questionnaire pack, DPA, or schedule a call with our security team.