Our commitment to security standards and regulatory compliance
Full compliance with EU General Data Protection Regulation. Users have the right to access, correct, delete, and export their data.
California Consumer Privacy Act compliant. California residents have enhanced privacy rights and control over their data.
Industry-standard encryption for all files at rest. Data in transit protected with TLS 1.3.
We operate to SOC 2 Type II controls internally and will engage a formal third-party audit when a customer engagement requires the report.
Same approach as SOC 2 — controls are operated to the standard internally; we pursue formal certification when our customer base requires it.
Payment processing handled by Stripe (PCI Level 1 certified). We never store or handle credit card data directly.
We invest in security continuously and pursue formal certifications as our customer base requires them. The controls described on the Security page — encryption, access management, change management, monitoring, backups, incident response — are operated to SOC 2 Type II standards internally today.
If a SOC 2, ISO 27001, HIPAA, or other formal attestation is required for your purchase, reach out to compliance@sbvault.app and we will discuss scope, timeline, and current status.
Full technical details on the Security page.
All data stored in SBVault is hosted on enterprise-grade cloud infrastructure located in the United States. Data is subject to U.S. jurisdiction and legal processes.
For users outside the United States, data is transferred to and processed in the U.S. We rely on the following safeguards:
A Data Processing Addendum incorporating the EU Standard Contractual Clauses is available to business customers on request. Email compliance@sbvault.app with your company name and the address you'd like the executed copy returned to.
The categories of subprocessors who process personal data on our behalf — cloud infrastructure, payment processing, AI model provider, antivirus/malware-scan provider, bot-protection provider, inbound and outbound mail providers — are listed on the Privacy page with each category's purpose and the data it receives. The specific named providers behind each category are maintained in our internal subprocessor record (GDPR Art. 30) and are available on request via compliance@sbvault.app — business customers can request the named list as an appendix to a signed Data Processing Addendum (DPA). Material changes are announced in the privacy policy and (for business customers under a DPA) by direct notice.
Third-party audits provide independent verification of our security practices. While we follow industry best practices, we acknowledge that independent certification is important for enterprise trust.
We rely on certified infrastructure and security providers:
Named providers behind each category are available on request via compliance@sbvault.app.
For any compliance, legal, security, or privacy-related questions, reach out to our team:
Last Updated: January 29, 2026