Security that's built in — not bolted on.
Your respondents' data is sensitive. We treat it that way, from the schema up — with tenant isolation, encryption everywhere, and controls you can put in front of your own security team.
The controls behind the platform.
Protection isn't a single feature — it's a set of overlapping controls, each doing its job even if another fails.
SOC 2-ready
Built to the controls of an independent SOC 2 Type II program, with least-privilege access and audit logging.
Encryption everywhere
TLS 1.2/1.3 in transit and transparent encryption at rest. Backups are fully encrypted.
Multi-factor auth
TOTP MFA for administrators, with durable secret storage — no lockouts on restart.
Tenant isolation
Row-level security scopes every query to a tenant, so no customer can ever see another's data.
Hardened hosting
Runs on modern managed infrastructure with restricted network access and rapid patching.
Data residency
Choose where your data lives to meet EU/UK and regional requirements.
Reviewed & tested
Regular third-party review and adversarial testing before changes ship.
GDPR-conscious
Data-subject controls, DPAs, and sub-processor transparency by design.
Protected end to end.
Every response follows the same path — and the tenant boundary travels with it from the first byte to deletion.
Collected
Respondent answers arrive over TLS and are written to storage encrypted at rest, tagged to the tenant that owns them from the first byte.
Isolated
Row-level security scopes every read and write to a single tenant. There is no code path that lets one workspace reach another's data — the boundary is enforced in the database, not just the app.
Processed
Scoring and AI interpretation run on your data only to fulfil your request. Content sent to our AI provider travels over encrypted channels and is never retained for model training.
Retained & deleted
You control your data region and retention. Delete on request or at account closure, subject to legal obligations — exports available during a reasonable window.
What you can ask us for.
Procurement and security reviews are part of choosing a platform. Here's what we'll put in front of your team.
Data Processing Agreement
A signable DPA covering GDPR/UK-GDPR processing terms and your role as controller.
Sub-processor list
The current list of vetted infrastructure and AI sub-processors, available on request.
Security overview
A written summary of our controls, architecture, and testing cadence for your review.
Data residency options
Choose an EU/UK or regional data region to satisfy residency and sovereignty requirements.
MFA & access policy
TOTP-based multi-factor authentication and least-privilege access for administrators.
Testing attestations
Confirmation of third-party review and adversarial testing performed before major releases.
Report a vulnerability
We welcome responsible disclosure. If you believe you've found a security issue, email security@ascent.app and we'll respond within one business day. Please give us a chance to remediate before public disclosure.
Have a security question?
Talk to us about isolation, residency, DPAs, or your review — or start building free.