Safety Company News
Get Workers

The Trust Center

One place to understand how Neuraphic protects customer data, where that data is stored, and the commitments we make to security, privacy, and compliance.

Customers deploying AI systems into security-critical environments need to know exactly how their data is handled. This page is the authoritative, up-to-date account of how Neuraphic builds, runs, and defends the infrastructure that holds customer data. It is the starting point for procurement reviews, security questionnaires, and legal diligence.

If you cannot find an answer here, the right contact is security@neuraphic.com for technical security questions, privacy@neuraphic.com for data protection requests, and legal@neuraphic.com for contractual matters including DPAs.

How we protect customer data

Defense in depth. Customer data is protected by overlapping controls at the network, host, application, and identity layers. A failure at any one layer does not result in data exposure. Our production environment is segmented, every service runs with least-privilege credentials, and all administrative access is gated by hardware-backed multi-factor authentication.

Secure software development. Every change to production goes through code review, automated security testing, and a deployment pipeline that verifies build provenance. Secrets are never checked into source control. Dependencies are tracked and patched on a known schedule. Our engineers do not have standing access to customer data.

Where data is stored

Production workloads run on Google Cloud Platform. Our primary region today is US-Central. A European region is in active deployment and is expected to be customer-available in the second half of 2026. Edge traffic — TLS termination, DDoS protection, and static asset delivery — is handled globally by Cloudflare, which never stores application database contents.

Customer-submitted data stays in the region associated with the customer's account. We do not replicate customer content across regions without explicit consent. For full regional detail, see Availability.

Encryption

In transit. All traffic between customers and Neuraphic, and all traffic between our internal services, is encrypted with TLS 1.3. We support modern cipher suites only and publish no tolerance for downgrade.

At rest. Persistent storage is encrypted using AES-256 via cloud-managed keys. Key rotation is automated. Customer secrets such as API keys and session tokens are stored hashed or encrypted with dedicated key material, never as plaintext.

Access controls and audit logging

Production access is granted through a role-based system that maps to job responsibilities and is reviewed quarterly. Access requires hardware MFA and is logged centrally. Administrative sessions are recorded. Logs are immutable for the retention period and are monitored for anomalous patterns.

Customers can restrict access within their own organization through roles and permissions exposed in the console. Enterprise customers can integrate with their identity provider via SAML and SCIM provisioning.

Incident response

We maintain an incident response plan that defines severities, on-call rotations, communication channels, and customer notification obligations. If we become aware of a security incident that affects customer data, we notify affected customers without undue delay, in line with our contractual commitments and applicable law.

Post-incident, we publish a public summary where appropriate and feed every finding back into our engineering and detection systems. For the disclosure policy that governs external researcher reports, see Responsible disclosure.

Compliance posture

SOC 2 Type II. In progress. We have built our control environment against the Trust Services Criteria and are working with an independent auditor toward a Type II report.

ISO 27001. Working toward certification. Our information security management system is aligned with ISO 27001 controls, and we are scoping a formal certification engagement.

GDPR. We process personal data in alignment with GDPR obligations. Customers acting as controllers may request a Data Processing Addendum; standard contractual clauses are available for international transfers where applicable.

CCPA. We honor the rights of California residents under the CCPA and provide a straightforward path to access, correct, and delete personal information.

HIPAA. We align technical and administrative controls with HIPAA's Security Rule. We are not a general-purpose HIPAA-covered service, and customers intending to process protected health information should contact enterprise@neuraphic.com before doing so.

Sub-processors

We rely on a small set of sub-processors to operate the service. The current list, the categories of data each processes, and the regions involved are published on the Sub-processors page. Customers can subscribe to change notifications so that additions are announced before they take effect.

Customer commitments

Every customer receives the commitments described on this page. Enterprise customers receive additional contractual guarantees, including a Data Processing Addendum, a defined incident notification window, and the right to receive our audit reports under NDA once they are available.

A DPA is available on request. Email legal@neuraphic.com with your company name, the jurisdictions you operate in, and the products you use.

Vulnerability disclosure

We welcome reports from security researchers. Our bug bounty program defines the scope, rules, and recognition we offer. For the broader responsible disclosure commitment, including our safe-harbor language, see Responsible disclosure.

Further reading

Safety
Security & compliance
Sub-processors
Responsible Scaling Policy
Bug bounty

Trust is earned through the controls we build, the commitments we keep, and the evidence we publish.

Safety Security & compliance Sub-processors Bug bounty