Security & compliance — encryption, GDPR, audit logs

Encryption

• In transit: TLS 1.3 to all API and web endpoints.
• At rest: Postgres database encrypted at the disk level (AWS-managed key).
• Sensitive credentials (OAuth tokens, BYOK API keys) AES-256-GCM encrypted before storage. Keys held in a separate KMS.
• Backups: encrypted, point-in-time-recoverable for the last 7 days (Free / Pro), 30 days (Teams).

Authentication

• Sign in with Google, Microsoft, email + password, or magic link.
• 2FA available on all plans (TOTP); enforceable workspace-wide on Teams.
• SSO (SAML) on Teams plan — bring your IdP (Okta, Azure AD, Google Workspace as IdP).

GDPR / data subject requests

1. 1

   Export everything

   Settings → Privacy → Export workspace. JSON export of every contact, deal, task, activity, and the workspace metadata. Delivered as a downloadable archive within 24 hours.

   Privacy settings
2. 2

   Delete a specific contact

   Open contact → ⋯ → Delete contact + all associated data. Hard-delete; not recoverable. The audit log keeps a record that the deletion happened, but the contact data itself is gone.

3. 3

   Delete a workspace

   Settings → Organization → Danger zone → Delete workspace. 7-day soft-delete window during which an Owner can restore. After 7 days, irreversible.

Audit log (Teams plan)

Every state-changing action (create / update / delete on contacts, deals, settings) is logged with: actor, target, before / after values, IP, timestamp. Exportable as CSV. Settings → Audit log.

Compliance status

Sambandh follows SOC 2 compliance practices internally (least-privilege access, monitored production, encrypted secrets, no shared credentials). We are not currently third-party audited for SOC 2 Type II certification — when we are, this page will be updated and the certification report will be available on request.