SignalAEO
Sign inGet my free AI audit

Security

How we keep your data safe

Effective Date: 2026-04-16 · Last Updated: 2026-04-16

You hand us your business name, your target markets, and the keywords that matter most to your pipeline. We run observations on your behalf and generate reports you will act on. That data deserves straightforward, honest protection — not marketing language.

This page tells you exactly what we do, what we are still building toward, and how to reach us if something looks wrong.

Infrastructure

Where we run: SignalAEO's production infrastructure runs on Amazon Web Services (AWS Lightsail) in the us-west-1 (Northern California) region, with backups replicated to us-west-2 (Oregon). We chose AWS for its mature compliance programs and our team's operational experience there.

What that means for you: AWS maintains physical security, power redundancy, and network infrastructure at the data center level. You can review AWS's infrastructure certifications — including SOC 1, SOC 2, ISO 27001, and FedRAMP — at aws.amazon.com/compliance.

Our own infrastructure posture:

  • Production and development environments are fully separated — no test data runs alongside real customer data
  • Network access is controlled via VPC (Virtual Private Cloud) with security groups that restrict traffic to only what the application requires
  • We use managed services where possible to reduce the attack surface
  • Infrastructure is managed as code with Terraform; all production changes go through GitHub-based pull-request review with no ad-hoc manual changes

SOC 2: We are working toward SOC 2 Type II certification. A gap assessment has been completed and engagement with an assessor is targeted for 2026-H2. We will publish the report (or a summary) to customers under NDA once it is complete.

Encryption

In transit: All data moving between your browser and our servers is encrypted using TLS 1.2 or higher, enforced at the load balancer. We do not accept connections over unencrypted HTTP for any authenticated endpoint. Internal service-to-service traffic within our VPC is also TLS-encrypted.

At rest: Customer data stored in our databases and object storage is encrypted at rest using AES-256. Encryption keys are managed via AWS Key Management Service (KMS) with automatic annual rotation.

Backups: Backup data is encrypted using the same AES-256 standard as primary data.

What we do not do: We do not store plaintext passwords. Passwords are hashed using Argon2id with a minimum cost parameter calibrated to 250ms on production hardware before storage.

Access Controls

Least privilege: Every team member who accesses production systems is granted only the permissions they need to do their job — nothing more. Access rights are reviewed quarterly and revoked promptly when a team member's role changes or they leave.

Authentication:

  • Internal team access to production systems requires multi-factor authentication (MFA)
  • We use Google Workspace SSO (Single Sign-On) for team accounts
  • Production access is via AWS SSM Session Manager — no public SSH, no bastion host required, no direct database access from the public internet

Customer account security:

  • You control your own account credentials; we recommend using a unique, strong password and enabling MFA. End-user MFA is currently offered via TOTP (Google Authenticator, Authy, 1Password); hardware security keys (FIDO2 / WebAuthn) are on the 2026 roadmap
  • Support staff can access your account settings only with your explicit authorization or to resolve a verified support issue

Audit logging: Access to production systems and sensitive operations is logged. Logs are retained hot for 12 months, then archived to cold storage for an additional 24 months, and reviewed periodically for anomalies.

Data Locations and Residency

Primary data location: All customer data is stored and processed in AWS us-west-1 (Northern California), United States.

Backups: Backups are replicated to AWS us-west-2 (Oregon)for geographic redundancy.

Device farm observations: Our observation device fleet consists of SignalAEO-managed consumer-grade mobile devices located in multiple US regions. Devices are enrolled in MDM, run regularly patched stock OS configurations, and do not collect data from their underlying OS beyond the SignalAEO-scoped query data. Device query traffic passes through the networks those devices use naturally — this is intentional and necessary for authentic, location-specific AI response observation.

EU/UK data: If you are a customer in the European Union or United Kingdom, your personal account data (name, email, billing info) is transferred to and stored in the US. We rely on Standard Contractual Clauses (SCCs) to provide appropriate safeguards for those transfers. A Data Processing Agreement (DPA) is available on request.

We do not currently offer EU data residency (storing all customer data exclusively within EEA boundaries). EU residency is being evaluated as a future option but is not committed on a timeline.

Backup and Disaster Recovery

We run regular backups of customer data and maintain recovery procedures so that an incident does not mean permanent data loss.

MetricTarget
Recovery Point Objective (RPO) — maximum data loss window24 hours
Recovery Time Objective (RTO) — time to restore service after a disaster4 hours

Backup frequency: Database backups run as daily snapshots plus continuous write-ahead log shipping to a separate region (us-west-2).

Backup testing: We test our ability to restore from backup quarterly. A backup that has never been tested is not a backup.

What happens in a regional AWS outage: In the event of an extended us-west-1 outage, our recovery plan calls for restoring service from backups in our failover region, us-west-2 (Oregon).

Incident Response

If something goes wrong, you hear about it. We run a formal incident response process that covers detection, containment, investigation, notification, and post-incident review.

Notification timeline:

  • Suspected breach affecting customer data: We will notify affected customers within 72 hours of becoming aware of a confirmed material breach, consistent with GDPR Article 33 and applicable US state breach notification laws.
  • Notification will include: what happened, what data was affected, what we are doing, and what you can do

Regulatory notification: Where required by law, we will also notify the appropriate supervisory authority within the legally required timeframe.

Post-incident review: After any significant incident, we conduct a written post-mortem to identify root causes and prevent recurrence. Post-mortem summaries for material incidents are shared with affected customers on request.

Third-Party Risk Management

Our service depends on a small set of trusted third-party providers (sub-processors). Each provider is evaluated before we use them, and we maintain contractual data protection obligations with each.

How we evaluate sub-processors:

  • Review of the provider's own security posture (SOC 2 reports, certifications, security documentation)
  • Data processing agreements in place before any customer data is shared
  • Regular review of the sub-processor list as our stack evolves

Current sub-processors: The complete list of our current sub-processors, including the data each receives, processing location, and relevant security certifications, is published at our Sub-processors page. We provide 30 days' advance email notice before engaging a new sub-processor that processes customer personal data.

Changes to sub-processors: 30 days' advance notice via email to account administrators who have subscribed to sub-processor notifications, per the process at /subprocessors/#notifications.

Penetration Testing

What we do: We conduct penetration tests to find vulnerabilities before others do.

Current cadence: Annual, beginning in 2026.

Scope: Tests cover our web application, API endpoints, and authentication systems. Infrastructure-level testing is covered by AWS's own testing programs.

Who conducts the tests: An independent third-party firm. Summary reports are available to enterprise customers under NDA.

Most recent test: Completed in 2026-Q1. We remediate critical findings within 30 days, and high-severity findings within 7 days of discovery.

Compliance

Here is an honest summary of where we stand on the main frameworks. "In progress" means we are actively working toward it. It does not mean we are certified.

Framework / RegulationStatus
GDPR (EU General Data Protection Regulation)We process EU personal data and maintain practices designed to comply — SCCs, DPA availability, Privacy Policy disclosures, rights request handling
CCPA / CPRA (California)We have assessed our data practices against CCPA/CPRA requirements and have implemented required disclosures and rights mechanisms
CAN-SPAMWe comply with CAN-SPAM requirements for commercial email, including clear identification, opt-out mechanisms, and physical address disclosure
SOC 2 Type IINot yet complete. Gap assessment performed; engagement with an assessor targeted for 2026-H2
ISO 27001Not currently certified; not on our near-term roadmap
PCI DSSWe do not store, process, or transmit payment card data; this is handled by Stripe, a PCI DSS Level 1 Service Provider
HIPAANot applicable — SignalAEO is not a Business Associate

Responsible Disclosure

We want to hear from security researchers. If you discover a vulnerability in our systems, we ask that you let us know before making it public so we have a chance to fix it.

How to report

Email: contact@signalaeo.com

Please include in your report:

  • A description of the vulnerability
  • Steps to reproduce it
  • The potential impact, as you see it
  • Your contact information (optional, but helpful for follow-up)

What to expect from us

  • We will acknowledge your report within 3 business days
  • We will keep you informed of our progress as we investigate and remediate
  • We will not take legal action against researchers who act in good faith and follow this process

What we ask of you

  • Do not access, modify, or exfiltrate customer data beyond what is necessary to demonstrate the vulnerability
  • Do not perform denial-of-service testing
  • Do not publicly disclose the vulnerability until we have had a reasonable time to fix it (our coordinated disclosure window is 90 days from your report)

Bug bounty: We do not currently operate a formal bug bounty program, but we gratefully acknowledge researchers who help us improve security. Add a public credit to this page on request.

Data Processing Agreement

If you are subject to GDPR and require a Data Processing Agreement (DPA) with SignalAEO, one is available on request.

Request a DPA by emailing contact@signalaeo.com with subject "DPA Request". We respond within 5 business days with a countersigned copy. Our standard DPA terms are published at /dpa/.

Frequently Asked Questions

Who can access my data at SignalAEO?

SignalAEO personnel do not access customer data except (a) to provide support when requested by the customer, (b) to investigate security or abuse, or (c) as required by law. All such access is logged. Production access requires AWS SSM Session Manager, MFA, and role-based permissions.

Does SignalAEO sell my data?

No. We do not sell your personal information or your business data to third parties. We use aggregated, de-identified data to understand industry trends — that data cannot identify you or your business.

Is the device farm secure?

The devices in our observation fleet are SignalAEO-managed consumer-grade mobile devices, enrolled in MDM, running regularly patched stock OS configurations. They run structured, scoped queries and do not collect data from the device owners' personal activity beyond the SignalAEO-scoped query data. Query results are transmitted to our infrastructure over encrypted connections.

What happens to my data if I cancel?

Your data remains available for export for 30 days after your subscription ends. After that, we delete your personally identifiable account data and report configurations within 60 days, except as required by law (tax, legal hold). Aggregated, de-identified data derived from your observations may be retained in our analytics systems indefinitely, but it cannot be linked back to your business.

Are you GDPR compliant?

We process EU personal data and have implemented practices designed to comply with GDPR — including Standard Contractual Clauses for international transfers, a Privacy Policy with required disclosures, and a process for handling data rights requests. Our DPA is published at /dpa/. We are not a "GDPR-certified" entity (no such certification exists), but we take our obligations seriously and have engaged legal counsel to review our practices.

Do you have a SOC 2 report I can review?

We are working toward SOC 2 Type II certification. A gap assessment has been performed and engagement with an assessor is targeted for 2026-H2. Once complete, the report will be available to enterprise customers under NDA. If your organization requires a SOC 2 report for vendor approval today, please contact us at contact@signalaeo.com — we can discuss what documentation we can provide in the interim.

How quickly do you patch security vulnerabilities?

Critical vulnerabilities: immediate triage with mitigations applied within 72 hours. High-severity: within 7 days of discovery. Medium and lower: addressed in our regular release cycle.

Contact Security

For security questions, vulnerability reports, or DPA requests:

SignalAEO LLC
3300 Triumph Blvd, Suites 100 and 200
Lehi, UT 84043
Security: contact@signalaeo.com
Legal: contact@signalaeo.com

Contact page