Appearance
Security and compliance
Dataplicity uses layered technical and operational controls to protect customer accounts, fleet data, and remote access. Use the control descriptions and assurance status below in your security review.
Certification status
Dataplicity is not currently ISO 27001 certified and has not completed a SOC 2 attestation.
Review the specific controls below for your security assessment. Put certification, independent testing, or contractual security requirements in your signed agreement.
Controls in use
The following controls are implemented to the extent described in the linked product and architecture documentation:
- Authentication and access: individual accounts, role and tenant checks, multi-factor authentication, and SSO or SCIM where enabled for the organisation
- Least privilege: scoped application roles, organisation and network filtering, short-lived role credentials for production deployment, and an unprivileged default device-agent identity
- Encryption: TLS for public service connections; encryption at rest for the primary production database, object storage, and backup vaults
- Tenant separation: organisation, network, device, and object-level authorization checks in application paths
- Audit and monitoring: product audit records for supported actions, centralized service logs, configured retention for many log groups, static analysis, security checks, and release evidence generated by CI
- Change controls: source-controlled infrastructure and application changes, automated tests and security checks, designated code ownership for infrastructure, and role-based production deployment workflows
- Backups and recovery: automated database backups and separate-account backup copies are configured; object storage uses provider encryption
- Incident handling: a documented process covers detection, containment, scope assessment, notification decisions, remediation, and follow-up
- Device-side boundary: terminal, file, fleet, and confirmed AI-assisted command paths inherit the permissions granted to the configured device OS identity
These are control descriptions, not a warranty that every risk is eliminated. Availability of SSO, SCIM, audit surfaces, or other features can depend on organisation configuration and current entitlements.
Assurances to confirm contractually
If your deployment requires any of the following assurances, confirm them in a signed agreement:
- ISO 27001 certification or SOC 2 attestation
- a particular penetration-test schedule or access to test reports
- formal recovery time or recovery point objectives
- an uptime or incident-response SLA
- customer-selectable region pinning
- EU-only or US-only processing for specified data categories
- data-sovereignty or regulatory-compliance commitments
See Data residency for deployment locations and regional requirements.
How we answer security reviews
You can use this answer in a customer questionnaire:
Dataplicity operates documented technical controls including tenant-scoped authorization, MFA and optional SSO, TLS in transit, encryption at rest for core production data stores and backups, centralized logging, automated static analysis and security checks, role-based production deployment, backups, incident handling, and a least-privilege device-agent boundary. Dataplicity is not currently ISO 27001 certified and has not completed a SOC 2 attestation. Control descriptions and architecture information can be provided for review, subject to confidentiality and current availability. Confirm certification, penetration-test, SLA, recovery-objective, and regional-residency requirements in the applicable contract.
For a security questionnaire, architecture discussion, data processing agreement request, current subprocessor information, or a proposed exception, contact support@dataplicity.com. Include the requested evidence, deadline, data categories, required region, and whether the requirement must be contractual.
Dataplicity reviews exceptions individually. Approval for a technical exception does not amend a contract unless it is recorded through the appropriate commercial and legal process.
Confirm before relying on a requirement
Ask for current written confirmation when a review depends on:
- certification or independent-assessment status
- penetration testing, report access, or remediation evidence
- active European capacity or region-restricted routing for your services
- the current subprocessor list, DPA, transfer mechanism, or support locations
- backup scope, restore testing, retention, RTO, RPO, SLA, or notification timing
- restrictions on personnel access, AI processing, analytics, or customer-enabled integrations