Trust Center
Security, compliance, and data protection — everything your security team needs
Security, compliance, and data protection — everything your security team needs
Live status of compliance certifications and attestations.
SOC 2 Type I
AchievedCompleted Q4 2025
SOC 2 Type II
In ProgressObservation period — expected Q3 2026
ISO 27001
In ProgressGap analysis complete — certification Q4 2026
GDPR
AchievedDPA available — EU data processing compliant
HIPAA
PlannedBAA available for healthcare customers — Q1 2027
PCI-DSS
AchievedLevel 1 service provider — no cardholder data stored
See exactly where your data flows for each deployment model.
Cupel orchestrates; your cloud computes. Only schema metadata and pipeline status flow to the control plane.
Your Cloud
Customer-managed infrastructure
Data Warehouse
Snowflake, BigQuery, Redshift — your data stays here
Object Storage
S3, GCS, ADLS — raw files never leave your account
Compute
Snowpark, Glue, Dataflow — heavy processing in your cloud
Schema metadata, pipeline status, quality scores only
Cupel Control Plane
Orchestration and metadata only
Pipeline Orchestration
Temporal workflows — coordinates execution steps
Schema Metadata
Table names, column types — never raw data values
Quality Scores
Pass/fail results, row counts, SLA metrics
Audit Trail
Who did what, when — immutable compliance log
At Rest
AES-256-GCM
Per-tenant data keys via AWS KMS
In Transit
TLS 1.3 (min 1.2)
mTLS for pod-to-pod communication
Key Management
BYOK Supported
AWS KMS, Azure Key Vault, GCP Cloud KMS, HashiCorp Vault
Clear delineation of security and operational responsibilities between Cupel and your organization.
| Responsibility | SaaS | Agent-in-VPC | Hosted |
|---|---|---|---|
| Data Encryption at Rest | Customer | Customer | Cupel |
| Data Encryption in Transit | Shared | Shared | Cupel |
| Platform Patching | Cupel | Cupel | Cupel |
| Infrastructure Scaling | Customer | Customer | Cupel |
| Backup & Disaster Recovery | Customer | Customer | Cupel |
| Access Control (RBAC) | Shared | Customer | Shared |
| Incident Response | Cupel | Shared | Cupel |
| Compliance Certifications | Cupel | Shared | Cupel |
| Network Security | Customer | Customer | Cupel |
| Key Management | Customer | Customer | Shared |
| Audit Logging | Cupel | Cupel | Cupel |
| Data Classification | Cupel | Cupel | Cupel |
| Data Residency | Customer | Customer | Shared |
| Identity Provider (SSO) | Shared | Customer | Shared |
Request access to compliance documentation. NDA may be required for audit reports.
SOC 2 Type I Report
Bridge letter and full audit report (NDA required)
Data Processing Agreement
GDPR Article 28 compliant DPA
Security Questionnaire (SIG Lite)
Pre-filled SIG Lite v2024 responses
CAIQ (Cloud Security Alliance)
Consensus Assessment Initiative Questionnaire
Penetration Test Summary
Most recent CREST-certified pen test executive summary
Architecture Whitepaper
Technical architecture and security controls overview
Subprocessor List
Current list of subprocessors (Auth0, AWS, Stripe, Temporal)
Incident Response Plan
Detection, triage, escalation, and notification procedures
Third-party services that process data on behalf of Cupel. Required by GDPR Article 28.
15 min
Time to Detect
Automated monitoring + alerting
1 hour
Time to Notify
Customer notification for P1/P2 incidents
4 hours
Time to Resolve (P1)
Critical incidents — 24/7 on-call