Security you can forward to review
How we host, protect, and hand back your data — stated plainly, so your security team can sign off without a back-and-forth.
Built so you can forward this page to security review
We're straightforward about what's live today and what's in flight.
SOC 2 Type II
Audit in progress with an AICPA-registered firm.
EU data residency
Hosted on EU infra with regional processing on request.
SSO & role-based access
SAML SSO available on the Team plan. SCIM on request.
Your data, exportable
Full CSV & JSON export of every source, journey, and response.
PII & data retention controls
Field-level PII handling with configurable retention windows. Ingestion is near-real-time, not nightly batch.
Need a DPA, pen-test report, or subprocessor list? security@touchplot.com
Three principles we hold ourselves to
Least data, by default
We only ingest the signals a journey needs, and you choose which sources connect. Disconnect a source and its data stops flowing.
You own your data
Every source, journey, and survey response is exportable as CSV or JSON at any time. Delete your workspace and it's gone.
Honest about status
We tell you what's live and what's in flight — no compliance theatre. If something isn't ready yet, the page says so.
Need a DPA, pen-test report, or subprocessor list?
Tell us what your review needs and we'll send it over.
Email security@touchplot.com