Security, Data Privacy and GDPR

We’ve gone through numerous security assessments with our customers, and we know that security matters for a high-quality B2B SaaS. This page shows a selection of questions around the security of SIGNL4. We cannot provide all (sensitive) details here but are happy to share further information on request or as part of an approval process.

Is SIGNL4 GDPR compliant?

GDPR compliance

SIGNL4 is fully GDPR compliant. Our European Data Center is in Amsterdam, Netherlands (Microsoft Azure Data Center).

Data Processing Agreement

For best GDRP compliance and for customers in the European Union, we do provide for a full data processing agreement which can be examined here and, if needed, signed electronically.

Data Privacy Policy

You can find our data privacy policy here.

Are SIGNL4 data centers certified (SOC2, etc)?

SIGNL4 is hosted on Microsoft Azure. Azure data centers do have various certifications including SOC2. Read more here

Do you encrypt my data?

Full at-rest encryption

Storage of SIGNL4 data in Azure is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.

Full in-transit data encryption

Service connectivity is secured via SSL (REST) and TLS (SMTP). We also encrypt communication between our node-clusters and internal applications based on TLS 1.2.

Partial in-use data encryption

We encrypt/hash certain content like service passwords and 3rd party tool service account passwords and compare only hashed data. Certain logical operations on content like keyword matching algorithm however require decrypted processing.

What is foundation of your authentication methods?

Authentication of the mobile app is token-based and data are automatically erased from the mobile device if no valid authentication is provided. The authentication against external providers like Microsoft Azure AD is also based on tokens. Please, contact us in case you require more details.

Where are my data, where is SIGNL4 hosted?

SIGNL4 is hosted in a European (EU) data center of Microsoft Azure.

Do you perform SAST/DAST/PEN checks?

Yes, we have continuous DAST (Dynamic Application Security Testing) running, using a commercial tool on at least a weekly basis. We can provide you with reports as part of a security assessment.

We also perform SAST (Static Application Security Testing) as well as SCA (Source Code Analysis) testing. Manual PEN testing will be conducted shortly.

Do you have a firewall in place?

Yes, of course. The SIGNL4 cluster is protected by a commercial firewall.

Which TLS version do you support/enforce?

We do not enforce a TLS version but do support TLS 1.2.

Do you have a data retention policy in place? Can I delete my data?

Yes. You have full control over your data. If you choose to delete your account, we delete all your data. We fully operate under European GDPR.

As long as your account is active, we retain your data. We retain notification/message/event data up to 12 months, depending on your subscription plan.

Do you have a disaster recovery policy in place? How about backups?

Yes. First of all, SIGNL is a multi-node cluster application with inherent high availability and failover. Our DR also includes daily off-site backups, resulting in an RPO (Recovery Point Objective) of 24 hours. We are also using 3rd party services and try make sure those meet or exceed our own availability goals.

You can track our uptime of close to 99.99% here: 

How do you segregate customer data?

SIGNL4 is public SaaS. So, we’ve implemented logical data segregation in our code based on client and API keys. This prevents access to any data except your own, including through our API.

Do you have key and password management policy?

Yes. APIs keys and passwords (customer login) are stored in hashed format. API keys are only shown once to the user upon creation.

How do you protect access to data by your employees?

We have a wide range of policies (TOMs – technical and organizational measures) in place, ranging from physical access control, digital access rights control, multi-factor authentication and so on. Please, refer to our Data Processing Agreement for more details.

Do you support MFA?

We currently support MFA (multi-factor authentication) through Microsoft Azure AD, Google and Apple authentication if you enable MFA with these providers. For our custom login, we have plans to implement MFA.