Elephant
Start a sync
§Trust Center

Your data, in our care. Stated plainly. Documented exhaustively.

One page summarising how we protect customer data, where it lives, who can see it, and what we do when something goes wrong. Every claim below maps to a control with a downloadable artifact behind it. Most reviews close in three clicks.

Download the procurement packEmail security@follow.app

Current as of 2026-04-29 · 1.4 MB · SOC 2 · CAIQ · SIG Lite · Pen-test summary · DPA template

§§ 01 / Posture at a glance

Twelve rows. Everything procurement asks first.

The first page of every security questionnaire. Stated plainly — no badges, no aspirational language, no "best in class". Each row is anchored to a deeper section below.

posture · 04A2F
Encryption at rest
AES-256-GCM. Per-tenant keys, rotated every 90 days, escrowed in AWS KMS with split-key access.
Encryption in transit
TLS 1.3 only. HSTS preloaded. Forward secrecy on every connection.
SOC 2 Type II
In progress — observation window opens Q3 2026. Type I letter available on request.
ISO 27001
Roadmap — target Q4 2026, gap assessment complete.
GDPR
Compliant. DPA on request, with EU SCCs and the UK addendum included.
AU Privacy Act 1988
Aligned, including APP 1–13. NDB scheme procedure in `/legal/privacy`.
Data residency
AU (Sydney · ap-southeast-2), EU (Frankfurt · eu-central-1), US-East (us-east-1). Pinned at signup, immutable thereafter.
SSO / SCIM
SAML 2.0 + SCIM 2.0 on Enterprise. JIT provisioning, group-to-role mapping, deprovision-on-removal.
RBAC
Owner / Admin / Member / Viewer. Two-Owner-required for sensitive ops on Enterprise.
Audit log
40 event types, 8 categories, 365-day default. Streamed to S3/SIEM on Enterprise.
Backups
Daily, encrypted, 30-day window. Restore-tested quarterly with a signed runbook.
RPO / RTO
RPO 1 hour. RTO 4 hours. Last drill: 2026-03-14, both targets met.

Last reviewed 2026-04-29 · Next review 2026-07-29 · Owner: head-of-security@follow.app

§§ 02 / Quick links

Six entry points. Pick the one your reviewer asked for.

§ 01

Security

Encryption, key management, access control, infrastructure. The boring details, done well.

§ 02

Compliance

SOC 2, GDPR, AU Privacy Act, ISO 27001, HIPAA, PCI DSS — current status, named quarters.

§ 03

Data residency

Sydney, Frankfurt, US-East. Pinned at signup, immutable thereafter, per-client on Agency tier.

§ 04

Sub-processors

Six named third parties. Region, purpose, data touched. Thirty-day change notification.

§ 05

Vulnerability disclosure

Report it, what we ask, what we promise. PGP key, 48-hour acknowledgement, no legal action.

§ 06

Status

Live uptime, incident history, RSS feed, Slack-Connect notifications. Operational right now.

§§ 03 / Security

The boring details. Done well.

Encryption, access control, infrastructure. Below is what we actually do — not aspirational, not vendor-marketing, current as of 2026-04-29.

Encryption & key management

Per-tenant keys. Rotated. Escrowed. Documented.

Every tenant gets its own data-encryption key, wrapped by a region-bound KMS master. If you offboard, the key is destroyed and the ciphertext is unrecoverable. The chain is documented end to end.

Algorithm
AES-256-GCM for data at rest. ChaCha20-Poly1305 for in-memory caches that span request boundaries.
Key hierarchy
Per-tenant data-encryption keys (DEKs), wrapped by per-region key-encryption keys (KEKs) in AWS KMS. Master key is FIPS 140-2 Level 3 HSM-backed.
Rotation
DEKs rotated every 90 days automatically. KEKs rotated annually with re-wrapping in place — no plaintext exposure during rotation.
In transit
TLS 1.3 only. HSTS preloaded with includeSubDomains and a 2-year max-age. Forward secrecy on every handshake.
Backups
Encrypted with the same per-tenant DEK chain. Restore-tested quarterly with a signed runbook; last test 2026-03-14, both RPO and RTO targets met.
Access control

Least privilege, in writing.

Customer-side RBAC, SSO and SCIM cover the obvious cases. Internal access — what happens when an Elephant engineer needs to look at a row to debug a bug — is the case competitors hand-wave through. We don't.

Customer RBAC
Owner / Admin / Member / Viewer. Least-privilege defaults. Two-Owner-required for sensitive ops on Enterprise.
SSO
SAML 2.0 with Just-in-Time provisioning. Group-to-role mapping. Tested against Okta, Azure AD, Google Workspace, OneLogin and JumpCloud.
SCIM
SCIM 2.0 with create / update / deprovision. Removed users lose access within 60 seconds of the IdP event.
Internal access
Engineering reads tenant rows only via a time-bound, named-purpose grant from a customer Owner. Every grant lands in your audit feed.
Production access
Bastion-only. Hardware-key (WebAuthn) plus 24h-expiring SSH cert. Session recording on for every shell.
Audit log
40 event types across 8 categories. 365-day default retention. Streamed to S3 / SIEM on Enterprise via append-only delivery.
Infrastructure

Three regions. No replication without consent.

The Australian, European and US deployments are operationally identical. Same image, same patch cadence, same monitoring. Different data, different keys, different sovereignty.

Hosting
AWS in three regions: ap-southeast-2 (Sydney), eu-central-1 (Frankfurt), us-east-1 (US-East). No replication across regions without written consent.
Network isolation
VPC per region. No public IPs on application or data-tier hosts. All ingress through Cloudflare → ALB → mTLS to internal services.
Tenant isolation
Row-level partition keyed on tenant ID. Per-tenant DEK enforces cryptographic isolation in addition to the row-level guard.
Patch cadence
Critical patches within 48 hours of release. Standard patches on a weekly window. CVE feed monitored continuously, paged on Sev-1.
Vulnerability scanning
Continuous SAST + DAST in CI. Quarterly external pen-test (last: 2026-02 by NCC Group; report in the procurement pack).
Backups & DR
Daily encrypted snapshots, 30-day window. Cross-AZ replicas inside the chosen region. RPO 1 hour. RTO 4 hours.
§§ 04 / What we don't do

Six things Elephant refuses, on purpose. In writing. On the contract.

The home page lists these in a tighter grid. Here they are in full. Each is a control your security reviewer — and your agency partners running thirty client brands — can audit.

  1. no transform

    We don't transform your data.

    Generic ETL pipelines move raw rows into a warehouse and leave the customer-merge work to your team — three sprints of dbt models, a backlog of edge cases, a stand-up about Klaviyo every Tuesday. Elephant does the merge upstream, deterministically, and shows you the SHA-256 hash of every canonical row. The library you query is the same library your security reviewer audits.

  2. no enrichment

    We don't enrich with third-party data.

    No purchased intent signals. No scraped firmographics. No identity-graph append. The library contains exactly what your sources contained — canonicalised, deduplicated, and hashed, but never extended with data you didn't pay for or consent to. Procurement asks this in question 4 of every questionnaire; the answer is in writing on the MSA.

  3. no model training

    We don't train models on your data.

    The MSA prohibits it. There is no "but for product improvement," no "with anonymised aggregates," no AI feature roadmap that touches a customer row. Internal analytics on Elephant's own usage telemetry — counts, latencies, error rates — are aggregated in a separate pipeline that never reads tenant rows.

  4. no unaudited reads

    We don't read your customer rows without an audit-logged grant.

    Engineers cannot query into your tenant on a hunch, on a debugging session, or for a support escalation. Every internal access requires a time-bound, named-purpose grant from an Owner on your account, and every grant lands in your audit feed alongside the Elephant operator's initials. If support never asked for a grant, support never read a row.

  5. no cross-tenant fingerprinting

    We don't fingerprint end customers across tenants.

    Every tenant is partitioned at the row level — separate KMS key, separate residency, separate audit feed. Your CUST-04A2F is not visible to any other agency, brand, or tenant — ever. Two agencies running Elephant against overlapping client lists will never see each other's records, and an agency's own brand clients are isolated from one another by the same row-level partition. The hash function is shared; the data behind the hash is not.

  6. no brand takeover

    We don't put our brand in front of your client.

    Whitelabel is not an upsell add-on. Your domain, your logo, your typography on every report, dashboard, and PDF — including the email envelope and the unsubscribe footer. The "Powered by Elephant" line is off by default on Agency tier, and turning it on is a setting on your end, not a default that ships from us. The artifact your client sees is yours, end to end.

§§ 05 / Compliance

Where we stand. Where we're going.

Stated honestly. We don't claim certifications we don't have, and we don't hide the ones we're working on. Status as of 2026-04-29.

SOC 2 Type IIIn progress · Q3 2026Type I letter is available today. The Type II observation window opens Q3 2026; report expected Q1 2027. Auditor: Prescient Assurance.soc2-type-i-letter.pdf · 184 KB
GDPRCompliantDPA on request, with EU SCCs (Module 2) and the UK addendum included. Sub-processor list reviewed quarterly. EU representative: VeraSafe.follow-dpa-v3.pdf · 62 KB
AU Privacy Act 1988AlignedAligned across APP 1–13. Notifiable Data Breach (NDB) procedure documented in /legal/privacy. Privacy Officer reachable at privacy@follow.app.au-privacy-policy.pdf · 41 KB
ISO 27001Roadmap · Q4 2026Gap assessment complete 2026-02. Stage 1 audit booked for Q3 2026. We don't claim ISO 27001 today and won't until the certificate is in hand.iso-gap-assessment-summary.pdf · 22 KB
HIPAAOut of scopeElephant does not handle Protected Health Information. We don't sign BAAs and we recommend customers in healthcare verticals use a HIPAA-scoped processor for PHI fields. Commerce-data records are not designed for PHI.
PCI DSSOut of scope · tokens onlyElephant never sees primary account numbers. Stripe and your payment processor handle PAN data; we receive only the tokenised reference and the last-four. Our PCI scope is therefore SAQ-A; the AOC is available on request.saq-a-aoc.pdf · 18 KB
§§ 07 / Data residency

Pick a region. We'll pin every byte.

Sydney, Frankfurt, or US-East. Choose at signup; immutable thereafter. Most US ETL vendors run us-east-1 only and tell Australian and European retailers to file a data-export request if they want a copy. That's not residency, that's an inconvenience. Elephant lets you pin a region at signup, document it on your data-flow diagram, and stop having that conversation with procurement.

Sydney · ap-southeast-2
AU-anchored deployments. Default for customers signing up with an Australian billing address. Operated by AWS Australia in compliance with the AU Privacy Act.
Frankfurt · eu-central-1
EU/UK residency. EU SCCs and the UK addendum included in the DPA. Default for customers in the EEA, UK and Switzerland.
US-East · us-east-1
Default for North American customers. Includes a Northern-Virginia primary AZ and an Ohio replica AZ inside the same region.
Pinning
Region is chosen at signup. Once pinned, it is immutable — moving regions requires a written request, a fresh tenant, and a signed cutover plan.
Per-client residency
On the Agency tier, residency can be pinned per client tenant. A Melbourne agency can run AU brands in Sydney while serving a UK retailer from Frankfurt — both inside the same agency workspace, audit-logged separately.
Data-flow diagram
A region-stamped data-flow diagram is included in the procurement pack. Mark it up and send it back to your own data-flow register; we'll counter-sign it.
§§ 06 / Sub-processors

Every third party. Named. By region.

When we use a sub-processor to deliver Elephant — a hosting provider, an error tracker, a support inbox — it appears here with its purpose, region, and what data it sees. We notify customers 30 days before adding a new one. Agencies running Elephant against multiple client tenants see the same list — sub-processors are platform-wide, not per-tenant.

Sub-processorPurposeRegionData touched
Amazon Web Services† agencyCompute, storage, KMS, networking. The platform Elephant runs on.AU (ap-southeast-2) · EU (eu-central-1) · US (us-east-1)All canonical records, backups, audit logs, encryption keys.
CloudflareEdge proxy, DDoS protection, WAF, DNS. Terminates TLS at the edge.Global edge — origin requests routed to your residency region.Request metadata only. No record bodies are cached at the edge.
StripePayment processing for Elephant's own subscription billing.US (us-east-1) for billing data — distinct from product residency.Your billing contact email and credit-card token. No customer rows.
Sentry† agencyApplication error tracking and performance telemetry.EU (eu-central-1) — self-hosted, single-tenant deployment.Stack traces and request IDs. PII scrubbed before transmission.
LinearInternal engineering issue tracking. Customer reports are anonymised before they land here.US (us-east-1) — Elephant's internal tenant, not yours.No customer data. Anonymised bug-report metadata only.
PlainCustomer support inbox. Where your support@ tickets are routed.EU (eu-west-2) — single-tenant deployment.Email content you send to support@follow.app. No automatic record access.

agency = data flows here when running Agency-tier multi-client workspaces · Last updated 2026-04-29

Subscribe to change notifications →
§§ 09 / Vulnerability disclosure

Found something? Tell us.

We treat every report seriously and we never take legal action against researchers acting in good faith. Bounty payouts are negotiated case by case until our HackerOne programme goes public in Q3 2026.

§ 01

How to report

  • Email security@follow.app with reproduction steps and impact.
  • Encrypt with our PGP key if the issue is sensitive (Key ID 0x9F3C…D802).
  • Or use the HackerOne private programme — invite request via the email above.
  • For active exploitation in the wild, mark the subject [URGENT] and include a callback number.
§ 02

What we ask

  • Test only against accounts you own. Do not pivot into other tenants — our partition will stop you, but the audit log will record the attempt.
  • No data exfiltration beyond what is necessary to demonstrate the issue.
  • No automated scanners that would degrade service for other customers.
  • Give us a fair window to fix before public disclosure — typically 90 days, negotiable on severity.
§ 03

What we promise

  • Acknowledgement within 48 hours.
  • Triage within 5 business days, with a named owner.
  • Fix or compensating control within 30 days for high-severity issues.
  • Public credit on request, after the fix ships, in the changelog and on this page.

No legal action against good-faith researchers acting within this policy. Safe harbour extends to DMCA, CFAA, and equivalent statutes in AU, EU and the UK.

§§ 10 / Frequently asked

Eight questions. Two of them agency-aware.

The questions procurement reviewers and agency operators actually send us. Anything not answered here, email trust@elephant.com and we'll add it.

Can we keep our data in Australia?

Yes. Choose Sydney (ap-southeast-2), Frankfurt (eu-central-1), or US-East (us-east-1) at signup. The choice is immutable thereafter — your records, backups, and audit logs all live in the region you picked, and we don't replicate cross-region without your written consent.

On the Agency tier you can pin residency per client tenant, so a Melbourne agency can keep AU brands in Sydney while running a UK client in Frankfurt — both inside the same agency workspace.

When will you have SOC 2 Type II?

Type I letter is available on request today. The Type II observation window opens in Q3 2026 with a target report in Q1 2027. Auditor: Prescient Assurance. We'll publish the report on this page once received and notify subscribers via the change-notification list.

What does whitelabel actually cover?agency

On the Agency tier, whitelabel covers your custom domain (reports.your-agency.com), your logo, your typography stack, your brand colours, your favicon, and the email envelope on every scheduled report — including the unsubscribe footer and the SPF/DKIM-aligned sender domain.

The "Powered by Elephant" line is off by default. Turning it on is a setting on your end, not ours. PDFs, dashboards, Slack notifications, and the client login page are all branded as your agency. Elephant's name does not appear in front of your client unless you put it there.

Can clients log in directly to their tenant?agency

Yes. Each client tenant has its own login URL on your custom domain and its own RBAC scope — your client can be granted Viewer-level access to their own data, with their own SSO (Google, Microsoft, SAML on Enterprise) and their own audit trail.

Their view shows only their tenant. They never see other clients you run, the agency-level dashboard, or anything that suggests Elephant exists underneath. Cross-tenant isolation is a row-level partition, not a UI guard, so the boundary holds even if the client tries the API directly.

Who can see our data internally at Elephant?

Engineering and support staff can read tenant data only through a time-bound, named-purpose grant from an Owner on your account. Every grant lands in your audit feed with the operator's initials. There is no support-tier read access, no debugging shortcut, and no production-shell session that bypasses the grant. The grant mechanism itself is reviewed annually and was last audited 2026-02-11.

What's your incident-response process?

24/7 on-call rotation, paged via PagerDuty. Sev-1 incidents (data loss, integrity-hash mismatch, exposure of tenant data) trigger customer notification within 24 hours, regardless of confirmed impact. We publish a written post-mortem within 7 business days on status.follow.app, including timeline, root cause, customer-impact analysis, and the remediation plan. Last incident: 2026-01-22 — Klaviyo upstream rate-limit cascade, no data loss, full restore in 38m.

If we leave, what happens to our data?

On termination you have a 30-day export window during which the library remains queryable through the API and the UI. Beyond that, all canonical records, source snapshots, audit logs, and backups are cryptographically erased within 90 days — the per-tenant KMS key is destroyed, rendering ciphertext unrecoverable. Erasure is logged and the certificate is delivered to your nominated security contact within 14 days.

Do you have cyber-liability insurance?

Yes. $5M USD aggregate cyber-liability + E&O policy through Beazley, renewed annually. Certificate of insurance is in the procurement pack. Limits scale on Enterprise contracts where required — $10M and $25M tiers available, priced per contract.

§Procurement pack

One PDF. Forty minutes from question one to signature.

The procurement pack bundles everything on this page — SOC 2 Type I letter, CAIQ, SIG Lite, pen-test summary, DPA, sub-processor list, AU privacy policy, certificate of insurance, region data-flow diagram. Download it before the call. If your reviewer needs anything else, trust@follow.app answers in one business day.

Download the procurement packBook 30 minutes with trust@follow.app

cal.com/trust-follow/30min · embed pending