Trust & security

Security that's built in — not bolted on.

Your respondents' data is sensitive. We treat it that way, from the schema up — with tenant isolation, encryption everywhere, and controls you can put in front of your own security team.

Security at every layer

The controls behind the platform.

Protection isn't a single feature — it's a set of overlapping controls, each doing its job even if another fails.

SOC 2-ready

Built to the controls of an independent SOC 2 Type II program, with least-privilege access and audit logging.

Encryption everywhere

TLS 1.2/1.3 in transit and transparent encryption at rest. Backups are fully encrypted.

Multi-factor auth

TOTP MFA for administrators, with durable secret storage — no lockouts on restart.

Tenant isolation

Row-level security scopes every query to a tenant, so no customer can ever see another's data.

Hardened hosting

Runs on modern managed infrastructure with restricted network access and rapid patching.

Data residency

Choose where your data lives to meet EU/UK and regional requirements.

Reviewed & tested

Regular third-party review and adversarial testing before changes ship.

GDPR-conscious

Data-subject controls, DPAs, and sub-processor transparency by design.

The data lifecycle

Protected end to end.

Every response follows the same path — and the tenant boundary travels with it from the first byte to deletion.

01

Collected

Respondent answers arrive over TLS and are written to storage encrypted at rest, tagged to the tenant that owns them from the first byte.

02

Isolated

Row-level security scopes every read and write to a single tenant. There is no code path that lets one workspace reach another's data — the boundary is enforced in the database, not just the app.

03

Processed

Scoring and AI interpretation run on your data only to fulfil your request. Content sent to our AI provider travels over encrypted channels and is never retained for model training.

04

Retained & deleted

You control your data region and retention. Delete on request or at account closure, subject to legal obligations — exports available during a reasonable window.

For your security team

What you can ask us for.

Procurement and security reviews are part of choosing a platform. Here's what we'll put in front of your team.

Data Processing Agreement

A signable DPA covering GDPR/UK-GDPR processing terms and your role as controller.

Sub-processor list

The current list of vetted infrastructure and AI sub-processors, available on request.

Security overview

A written summary of our controls, architecture, and testing cadence for your review.

Data residency options

Choose an EU/UK or regional data region to satisfy residency and sovereignty requirements.

MFA & access policy

TOTP-based multi-factor authentication and least-privilege access for administrators.

Testing attestations

Confirmation of third-party review and adversarial testing performed before major releases.

Report a vulnerability

We welcome responsible disclosure. If you believe you've found a security issue, email security@ascent.app and we'll respond within one business day. Please give us a chance to remediate before public disclosure.

Have a security question?

Talk to us about isolation, residency, DPAs, or your review — or start building free.