For your privacy lead, your security reviewer, your legal counsel. No marketing. No denial. Five things, plainly.
The graph holds PII — emails, phones, addresses, hashed identifiers. That is the product. The graph runs in a private VPC, accessed only through SSO and the operator API. No PII is exposed by this marketing surface; the marketing site is static HTML at the edge. PII writes, reads, and exports happen inside the auth-walled application, every action carrying an actor + timestamp in the audit log.
Encryption at rest (AES-256), encryption in transit (TLS 1.3), customer-isolated tenancy, regional data residency on request.
This site uses cookies and analytics — first-party for site behavior (which pages convert, where the funnel drops), third-party for ads attribution and a small set of marketing-automation pixels. We respect Global Privacy Control and Do Not Track signals. The full list and your opt-out are in our Privacy Notice.
Form submissions (Request access, Contact) are personal data; they route to our CRM and our sales team. Deletion-on-request honored within seventy-two hours.
Inside the graph, deletion is structural. A right-to-be-forgotten request resolves the identifier to its entity, then removes the entity and every edge it touches in the same transaction. There is no separate "deletion list" that opts the entity out of future merges — the entity is gone, and the next continual refresh treats the source records as if they were never there.
We can produce an audit trail showing exactly what was removed, when, and by whose authority. Your DPO can hand the trail to a regulator without translation.
Every operator action against the graph passes through SSO with mandatory MFA. Every read, every write, every export carries an actor and a timestamp. The audit log retains for thirteen months and exports to your SIEM on request.
Service accounts are scoped per workload and rotate automatically. Long-lived credentials do not exist in this architecture.
If you need a SOC 2 letter, a vendor security questionnaire return, a sample DPA, or a regulator-ready architecture diagram, ask. The reply lands within one business day with whatever you actually need attached.
If you need to talk to a human first — about a deletion, a breach disclosure clause, a residency requirement — that's also one business day.