FeaturesHow It WorksArchitectureIntegrationsPricingBlog
Get StartedSign In
Security & Compliance

Compliance is architecture, not an afterthought

Enterprise-grade security with automatic PII detection, AES-256 encryption, complete audit trails, and compliance readiness for SOC 2, GDPR, and HIPAA.

See It In Action

Watch automatic PII detection and masking

Raw Data
NameEmailSSNAmount
Sarah Chens.chen@corp.io412-55-8901$12,450
James Millerj.miller@fin.com789-12-3456$8,200
Elena Rodrigueze.rodriguez@bank.net321-67-4532$45,100
Michael Parkm.park@trade.org654-98-7210$3,750

How it works

  1. 1

    Raw data ingested into Protected Raw layer

  2. 2

    PII scanner detects sensitive columns (email, SSN)

  3. 3

    Masking policies applied automatically

  4. 4

    Audit log records every classification and action

Security Pillars

Enterprise-grade protection at every layer

PII Detection & Classification

Automatic regex-based PII detection scans every column on ingestion.

  • Email, SSN, credit card, phone number patterns
  • Field-level classification tags
  • NLP-based detection planned for Phase 2
  • Configurable regex patterns per team

Data Masking

Column-level masking policies applied automatically based on classification tags.

  • Tag-based auto-masking
  • Configurable masking patterns (hash, redact, partial)
  • Per-team masking overrides
  • Masking audit trail

Encryption

Enterprise-grade encryption at every layer of the platform.

  • AES-256 encryption at rest
  • TLS 1.3 minimum (1.2 supported) in transit
  • mTLS for pod-to-pod communication
  • AWS KMS with per-tenant data keys

Audit Logging

Every action logged with full context for compliance reporting.

  • Actor, team, action, resource, timestamp, IP, result
  • Hot storage (PostgreSQL, 90 days)
  • Warm storage (S3 Parquet, 2 years)
  • Cold storage (Glacier, 2+ years)

Access Control — RBAC

Six-role hierarchy with organization-to-pipeline scope.

  • Org Super Admin — full control
  • Org Compliance Officer — read-only audit
  • Team Admin — team-level management
  • Pipeline Builder — create and deploy within team

Data Residency

No customer data stored at rest in Cupel infrastructure.

  • Platform orchestrates, customer cloud computes
  • Data never transits Cupel infrastructure
  • Hybrid compute model (Snowflake, AWS, Azure, GCP)
  • Agent-in-VPC option for zero-trust (Phase 3)
Compliance Roadmap

On the path to enterprise certification

1

Phase 1

Foundation

Complete
  • Encryption (AES-256/TLS 1.3)
  • Audit logging
  • RBAC with 6 roles
  • PII regex detection
  • Column-level masking
2

Phase 2

SOC 2 Type I

In Progress
  • SOC 2 Type I certification
  • ML-based PII classification
  • BCBS 239 compliance profiles
  • MiFID II reporting templates
3

Phase 3

SOC 2 Type II + HIPAA

Planned
  • SOC 2 Type II certification
  • HIPAA compliance
  • Agent-in-VPC deployment
  • FedRAMP alignment
GDPR ReadyBCBS 239MiFID IIPCI-DSSSolvency II
At a Glance

Security features checklist

  • Automatic PII detection and classification
  • Column-level data masking policies
  • AES-256 encryption at rest, TLS 1.3 in transit
  • Complete audit trail for every action
  • Role-based access control (RBAC)
  • BCBS 239 and MiFID II readiness

SOC 2

On roadmap

GDPR

On roadmap

HIPAA

On roadmap

Ready to secure your data platform?

Start building with enterprise-grade security from day one. No credit card required.

Get Started FreeTalk to Security Team