Skip to content

Security

Your data is safe with us

Security isn't a feature — it's the foundation everything else is built on. Here's how we protect your data.

Encryption

All data is encrypted both in transit and at rest using industry-standard protocols.

  • TLS 1.2+ for all data in transit
  • AES-256 encryption for data at rest
  • Encrypted database backups
  • End-to-end encrypted integration credentials

Infrastructure

Hosted on trusted cloud infrastructure with built-in redundancy and disaster recovery.

  • AWS cloud infrastructure with multi-AZ deployments
  • Automated daily backups with 90-day retention
  • 99.9% uptime SLA for Pro and above
  • Geographic data residency options (Enterprise)

Access Control

Fine-grained permissions ensure only the right people access the right data.

  • Role-based access control (RBAC)
  • SSO with SAML 2.0 and OIDC (Scale & Enterprise)
  • Multi-factor authentication support
  • Workspace-level data isolation

Compliance & Auditing

We maintain rigorous compliance standards and provide full audit transparency.

  • SOC 2 Type II certified
  • GDPR and CCPA/CPRA compliant
  • Comprehensive audit logs for all user actions
  • Annual third-party penetration testing

Incident Response

A dedicated process ensures rapid detection, containment, and communication of security events.

  • 24/7 automated threat monitoring
  • 72-hour breach notification commitment
  • Documented incident response playbooks
  • Post-incident review and public transparency reports

AI Data Privacy

Your data is never used to train models. AI processing is isolated and ephemeral.

  • Zero-data-retention agreements with all AI providers
  • Customer Data never used for model training
  • Per-workspace data isolation for AI processing
  • No cross-customer data commingling

Our security commitments

Detailed practices that govern how we handle, store, and protect your information.

Data Handling

Customer Data Ownership

You retain full ownership of all data you upload to NorthStar. We never claim rights to your Customer Data. Our access is limited strictly to what is necessary to operate the Service, and only authorized personnel with a legitimate business need may access Customer Data, subject to strict access controls and audit logging.

Data Isolation

Each Workspace is logically isolated at the application and database layers. Customer Data from one Workspace is never accessible to or commingled with data from another Workspace. AI processing is scoped exclusively to the requesting Workspace.

Data Residency

By default, Customer Data is stored in the United States (AWS us-east-1). Enterprise customers may select a preferred data residency region, including the European Union, to comply with local data sovereignty requirements. Contact us for available regions.

Data Retention and Deletion

Customer Data is retained according to the limits of your Subscription Plan. You may delete individual records or your entire Workspace at any time. Upon Account termination, all Customer Data is permanently purged from production systems within 30 days and from encrypted backups within 90 days.

Application Security

Secure Development Lifecycle

All code undergoes mandatory peer review before merging. We maintain automated static analysis (SAST), dependency scanning, and secret detection in our CI/CD pipeline. Critical vulnerabilities are patched within 24 hours of discovery. We follow OWASP Top 10 guidelines and conduct regular internal security reviews.

Authentication and Authorization

Passwords are hashed using bcrypt with per-user salts. We support multi-factor authentication (MFA) and single sign-on (SSO) via SAML 2.0 and OpenID Connect on Scale and Enterprise plans. Session tokens are cryptographically signed, short-lived, and automatically rotated. API keys are scoped to specific permissions and can be revoked at any time.

API Security

All API endpoints require authentication. Rate limiting is enforced per-account and per-endpoint to prevent abuse. API requests are validated against strict schemas, and all input is sanitized to prevent injection attacks. CORS policies restrict cross-origin access to authorized domains only.

Infrastructure Security

Network Security

Our infrastructure is deployed within private virtual networks with no direct public internet access to backend services. All internal service-to-service communication is encrypted. We use Web Application Firewalls (WAF) and DDoS protection at the edge. Port access is restricted to the minimum necessary, and security groups are regularly audited.

Monitoring and Logging

We maintain centralized logging for all infrastructure and application events. Logs are retained for 12 months and are protected against tampering. Automated alerting detects anomalous patterns, unauthorized access attempts, and configuration drift. Security events are escalated to our on-call team in real time.

Business Continuity

Production databases are replicated across multiple availability zones with automated failover. Backups are encrypted, tested regularly for recoverability, and stored in a separate geographic region. Our recovery time objective (RTO) is under 4 hours and recovery point objective (RPO) is under 1 hour for all customer data.

Third-Party Security

Sub-processor Management

All third-party sub-processors undergo security review before engagement and are bound by Data Processing Agreements (DPAs) requiring controls no less protective than our own. We maintain a current list of sub-processors and will notify customers of any changes. Enterprise customers may object to new sub-processors.

AI Provider Security

We maintain zero-data-retention agreements with all AI inference providers. Customer Data sent for AI processing is transmitted over encrypted channels, is not logged by the provider, and is not used to train or improve any models. We evaluate each provider's security posture annually and require SOC 2 compliance or equivalent.

Vulnerability Disclosure

We welcome responsible security research. If you discover a vulnerability in the NorthStar Service, please report it to security@northstar.dev. We commit to:

  • Acknowledging receipt within 1 business day
  • Providing an initial assessment within 5 business days
  • Not pursuing legal action against researchers who act in good faith and comply with this disclosure policy
  • Crediting researchers (with permission) in our security advisories

Please do not access, modify, or delete other users' data during testing. Use test accounts and sandboxed environments where possible.

Contact

For security-related questions, concerns, or to request our SOC 2 report, contact our security team at security@northstar.dev.