Your data. Your control.
Our responsibility.
IdeaLift runs on Microsoft Azure with encryption at every layer, GDPR compliance, and the access controls your security team expects.
Microsoft Azure
US East Hosted
SOC 2 Controls
Implemented
GDPR
Compliant
Microsoft Partner
Verified
Infrastructure
Built on Microsoft Azure with defense in depth at every layer.
Cloud & Compute
- Microsoft Azure App Service (US East)
- Azure SQL with Transparent Data Encryption (TDE)
- Azure Key Vault for secrets management
- Automated failover and geo-redundant backups
Encryption
- TLS 1.3 for all data in transit (HSTS enforced)
- Azure SQL Transparent Data Encryption (AES-256) at rest
- Secrets stored in Azure Key Vault (not in code or app settings)
- Database backups encrypted and geo-redundant
Network & Perimeter
- Azure Web Application Firewall (WAF)
- DDoS protection at infrastructure level
- Rate limiting on all API endpoints
- Webhook signature verification (HMAC-SHA256)
Access & Identity
- Role-based access control (Owner, Admin, Member)
- MFA required for team members
- Audit logging on key actions
- Least-privilege access to production systems
Your Data Stays Yours
We collect only what's needed to run the service. Nothing more.
No Bulk Chat Storage
We never store your full chat history. AI detection processes messages in real time to identify product signals, but only matched signals are stored. You control which channels are opted in.
No Third-Party Ads
Your data is never sold, shared, or used for advertising. We make money from subscriptions, not your data.
Full Data Erasure
Delete your account and all data is permanently erased within 30 days. Automated data subject access request (DSAR) workflow included.
Data Retention
Active Data
While account is active
Deleted Ideas
Purged after 30 days
Account Deletion
All data removed in 30 days
Backups
Retained 90 days for DR
Application Security
Security built into the development lifecycle.
Authentication
- OAuth 2.0 (Google, GitHub, Microsoft, Slack)
- SSO with SAML 2.0 and OIDC
- Multi-factor authentication (TOTP)
- HTTP-only secure session cookies
- CSRF protection on all mutations
API Security
- API key auth for programmatic access
- Plan-based rate limiting (60-1,200 req/min)
- Input validation on all endpoints
- Parameterized SQL queries throughout
- Webhook signature verification (HMAC-SHA256)
Development Practices
- Automated security scanning in CI/CD
- Dependency vulnerability monitoring
- Code review on all changes
- Staging environment with production parity
- Automated rollback on failed deploys
Compliance
Where we are today and where we're headed.
SOC 2 Type II
Controls ImplementedSecurity, Availability, and Confidentiality controls are implemented across our infrastructure and application. Third-party audit is planned but not yet completed.
GDPR
CompliantFull GDPR compliance with Data Processing Agreements, automated DSAR workflows for data export and erasure, and configurable data retention.
Enterprise-Ready Features
The access controls and governance your IT team needs, built in from day one.
SSO (SAML & OIDC)
Authenticate via your existing identity provider. Okta, Azure AD, Google Workspace, and more.
SCIM Provisioning
Automate user provisioning and deprovisioning from your identity provider. No manual seat management.
Audit Logging
User actions logged with timestamp, IP, and resource details. Accessible from your workspace settings.
Workspace Isolation
Every workspace is a fully isolated tenant. All database queries scoped by workspace ID at the application layer.
Role-Based Access
Owner, Admin, and Member roles with granular permissions. Control who can manage integrations, invite users, or change settings.
Data Processing Agreement
Standard DPA ready to sign for teams that require one. No legal back-and-forth needed.
Sub-processors
Every third party that touches your data.
| Provider | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud infrastructure, database, key management | USA |
| Stripe | Payment processing | USA |
| OpenAI | AI processing (ticket formatting, deduplication) | USA |
| Anthropic | AI processing (analysis, classification) | USA |
| Sentry | Error monitoring | USA |
| PostHog | Product analytics | USA/EU |
| Resend | Transactional email | USA |
Responsible Disclosure
Found a vulnerability? We take reports seriously and respond quickly.
- Email [email protected]
- Include steps to reproduce
- We acknowledge within 48 hours
- Researchers credited (with permission)
Need a Security Review?
We're happy to complete your vendor security questionnaire, provide documentation, or jump on a call with your security team.
Ready to see it in action?
Sign up free with full workspace isolation from day one. Upgrade to a paid plan with a 14-day free trial when you're ready.