// Security

Built so operators can trust the pipeline.

SOC 2 Type 2, encrypted in transit and at rest, Postgres you own, and hard spend caps you control. The same controls that gate the platform gate every customer workspace.

01Security pillars

The three things we will not compromise.

SOC
Audited

SOC 2 Type 2

Continuous control monitoring through Drata. The Type 2 report is verified by Sensiba and shared under NDA during procurement.

TLS
Encrypted

TLS 1.3 in transit, AES at rest

Every connection is TLS 1.3. Customer data, credentials, and provider keys are encrypted at rest, scoped per workspace, and never logged.

Hard
Bounded

Hard spend caps

Every workspace runs against a hard spend cap. No surprise invoices, no runaway agents. Cost preflight runs before any chargeable call.

02Certifications & practices

The full specimen sheet.

Verified by SensibaMonitored by DrataUpdated continuously
01Compliance3 controls
SOC 2 Type 2Verified by Sensiba. Continuous control monitoring through Drata. Report available under NDA during procurement.
Annual penetration testThird-party penetration test against the production surface, with remediated findings tracked in our audit log.
Vendor reviewEvery subprocessor is reviewed before integration. Provider list and DPAs are available to customers.
02Identity & access3 controls
SSO / SAMLSAML SSO via Okta, Google Workspace, Microsoft Entra, and standard IdPs. SCIM provisioning on enterprise plans.
Role-based accessWorkspace roles separate admins, operators, and read-only auditors. Audit trail is queryable from the CLI.
Short-lived tokensCLI tokens are short-lived and revocable. Lost a laptop? Rotate from the dashboard in seconds.
03Data handling3 controls
Postgres of recordEvery enrichment result lands in a Postgres database scoped to your workspace. Standard pg_dump, no export fees, no lock-in.
TLS 1.3 everywhereAll traffic between the CLI, our API, and provider APIs is TLS 1.3. Certificate pinning on critical paths.
Provider key isolationBring-your-own-keys are encrypted, scoped to your workspace, never shared across tenants, and never written to logs.
04Spend & abuse controls3 controls
Hard spend capsWorkspaces enforce a hard monthly cap. We pause execution instead of overrunning. No agent loop has ever invoiced a customer past their cap.
Cost preflightEvery chargeable provider call gets a preflight cost estimate before it fires. Idempotency keys guard against duplicates.
Audit logEvery API call, every provider call, every spend event is recorded with provenance. Queryable from SQL or the CLI.
Need the report? team@deepline.comVulnerability reports → security@deepline.com
03SOC 2 Type 2 report
Verified by Sensiba SOC 2 Type 2
// SOC 2 Type 2

Verified by Sensiba, monitored by Drata.

Deepline maintains a SOC 2 Type 2 compliance program with continuous control monitoring. The current report is available to qualified customers under NDA during procurement.

Request through team@deepline.com.

04Frequently asked

Common questions about security.

Yes — the most recent Type 2 report, verified by Sensiba, is available to qualified customers under NDA. Email team@deepline.com and we will route it through Drata.
Enrichment results land in a Postgres database scoped to your workspace, encrypted at rest. You own the schema and can pg_dump everything at any time. There are no export fees, no lock-in window, and no proprietary file formats.
Every subprocessor is reviewed before integration. The current list and DPAs are shared during procurement — email team@deepline.com.
Yes. SAML SSO via Okta, Google Workspace, Microsoft Entra, and standard IdPs. SCIM provisioning is available on enterprise plans.
Each workspace has a configurable monthly cap. Once hit, Deepline pauses chargeable execution instead of overrunning. Cost preflight runs before each provider call, so a runaway agent loop cannot invoice you past your cap.
Email security@deepline.com. We acknowledge inside one business day and triage critical reports immediately.