Enterprise FAQ

IdeaLift has implemented 96% of SOC 2 Type II controls across Security, Availability, and Confidentiality trust principles. A formal audit is planned. Our security practices include AES-256-GCM encryption at rest, TLS 1.3 in transit, comprehensive audit logging, and role-based access controls. See our Security page for full details.

All data is encrypted in transit using TLS 1.3 with HSTS enforcement. At rest, we use AES-256 via Azure SQL Transparent Data Encryption (TDE). Sensitive credentials such as OAuth tokens and API keys are additionally encrypted with AES-256-GCM using dedicated encryption keys, stored separately from the data they protect.

Yes. Our DPA is available at /legal/dpa and can be downloaded as a PDF. It covers GDPR, CCPA, and standard contractual clauses for international data transfers.

90% of HIPAA technical safeguards are implemented. We offer Business Associate Agreements (BAA) on request for healthcare customers. Contact [email protected] for details.

We maintain a responsible disclosure program. Security researchers can report vulnerabilities to [email protected]. We acknowledge reports promptly and work with researchers to resolve issues before public disclosure.

Yes. SSO is available on Growth plans and above. We support SAML 2.0 and OAuth 2.0 with any compatible identity provider (Okta, Azure AD, OneLogin, etc.). Domain-based enforcement ensures all users from your organization authenticate through your IdP.

Yes. SCIM 2.0 provisioning is available on the Enterprise plan. It supports automated user and group management, including create, update, deactivate, and group assignment. Bearer token authentication secures the SCIM endpoints. Compatible with Okta, Azure AD, OneLogin, and other SCIM 2.0 providers.

IdeaLift has two role hierarchies. Team roles (Owner, Admin, Member) control workspace access and administrative capabilities. Dashboard roles (Product Manager, Engineering Lead, Executive) control feature visibility and workflow permissions. Role management is available on Growth plans and above.

Yes. MFA is available for all accounts. When SSO is configured, MFA is enforced through your identity provider, giving you centralized control over authentication policies.

All data is hosted on Microsoft Azure in US East data centers. The database runs on Azure SQL with automatic geo-redundant backups. We do not currently offer EU-only data residency, but can discuss requirements for Enterprise customers.

No. IdeaLift does not store or scan your full chat history. It only processes messages that match configured signal patterns (e.g., emoji reactions, keywords, or explicit captures). Raw message content is processed transiently for classification and is not retained beyond the captured idea. See our Privacy Policy for details.

We use OpenAI and Anthropic for idea formatting, deduplication, and classification. Both providers are contractually prohibited from training on customer data. Prompts contain only the specific idea text being processed — never bulk data exports. Our sub-processor list documents all third-party data processors.

Yes. IdeaLift supports GDPR Article 15 (right of access) and Article 17 (right to erasure) through automated DSAR workflows. Workspace admins can export all user data or request anonymization. Data exports are available in standard formats. Account deletion removes all data within 30 days.

Active data is retained while your account is active. Deleted ideas are permanently removed after 30 days. Upon account deletion, all data is removed within 30 days. Encrypted backups are retained for 90 days for disaster recovery purposes. Enterprise customers can request custom retention policies.

Yes. Comprehensive audit logs are available on the Enterprise plan. They track 25+ action types including user authentication, idea CRUD operations, integration changes, member management, and settings modifications. Each entry includes user ID, timestamp, IP address, and user agent. Logs can be exported as JSON or CSV.

Audit logs can be exported via API in JSON format for ingestion into your SIEM or log management platform. For Enterprise customers, we can discuss direct integration options. Contact [email protected] for details.

Yes. API access is available as an add-on on the Growth plan and included in Enterprise. API keys use scoped permissions, are stored as SHA-256 hashes, and support expiration dates. Rate limits are plan-based, ranging from 60 req/min (Starter) to 1,200 req/min (Enterprise).

IdeaLift integrates with Slack, Microsoft Teams, Discord, GitHub, Linear, Jira, Zendesk, Intercom, Freshdesk, HelpScout, Gmail, and more. All integrations use OAuth 2.0 with encrypted token storage. Webhook signatures are verified using timing-safe comparisons. See our Integrations page for the full list.

Enterprise customers can use the API to build custom integrations with internal tools, data warehouses, or BI platforms. We also support inbound webhooks for sending data into IdeaLift from any source.

We commit to 99.9% monthly uptime for paid plans, backed by service credits if we fall short. Scheduled maintenance is communicated at least 48 hours in advance. Full details are in our Service Level Agreement.

Response times depend on severity and plan. Critical issues (service down): 1 hour for Enterprise, 4 hours for Growth, 8 hours for Pro. Standard requests: 4 hours for Enterprise, 24 hours for Growth. Enterprise customers also receive a dedicated success manager.

Yes. Annual plans offer a discount compared to monthly billing. Pro: $129/mo annually (vs $149/mo monthly). Growth: $249/mo annually (vs $299/mo monthly). Enterprise pricing is custom based on your organization's needs.

Yes. We offer a 14-day free trial with full access to all features on Pro or Growth plans. You won't be charged until the trial ends. At the end of the trial, your workspace becomes read-only — no data is deleted. You can subscribe at any time to resume full access.