Security & trust

Security is the product.

You're trusting Sablewatchwith your most sensitive signals, so we hold our own posture to the bar we hold yours. Here's exactly how we handle your data — and where we are on compliance.

Encrypted everywhere

All data is encrypted in transit (TLS 1.2+) and at rest. Secrets are stored in managed key vaults, never in code.

Per-tenant isolation

Every customer's data is isolated at the database level with row-level security — your records are never reachable by another tenant.

Least privilege by default

We request the minimum scopes needed and start read-only. Response permissions (disable an account, block an IP) require a separate, explicit grant.

You stay in control

Revoke any connection at any time — access stops immediately. Request full data deletion whenever you choose.

What we store — and what we don't

✓

Security metadata

Sign-in events, audit logs, alerts, and the actions Sablewatch takes.

Your content

We never ingest the contents of your files, emails, or messages.

Standing admin keys

Response actions run through scoped, revocable grants — not stored master credentials.

Compliance — where we honestly are

SOC 2 Type II is in progress, not yet complete.We'd rather tell you that than imply otherwise. Our architecture (encryption, isolation, least-privilege, audit logging) is built to the standard the report certifies. If you need the report before connecting production systems, talk to us about timeline and a scoped pilot.

Subprocessors

We keep our stack lean and reputable: Vercel (application hosting) and Supabase(database & authentication). Both are SOC 2 compliant. We'll always keep this list current.

Report a vulnerability

Found something? We want to hear it. Email security@sablewatch.comand we'll respond fast. We don't pursue good-faith researchers.

Start free trial Read the docs