Trust Center
Built on compliance, security, and transparency. Everything enterprise procurement teams need to evaluate SIE Data as a vendor.
Compliance Certifications
Regulatory compliance is not optional — it is the foundation of every system we build.
CA CPPA Registered
Registered with California Privacy Protection Agency as a data broker under SB 362 (DELETE Act).
DELETE Act Compliant
Full DROP platform integration. Consumer deletion requests processed within 24 hours.
FCRA Firewall
Hardware-level blocking of all FCRA-regulated fields. Zero exceptions, zero overrides.
CCPA / CPRA
Full California Consumer Privacy Act compliance including opt-out, deletion, and data portability.
GDPR
Legitimate interest (Art. 6(1)(f)) for B2B data. Explicit consent (TCF v2.2) for consumer data.
Autonomous where the math is safe. Human-gated where the compliance risk is non-zero.
SIE's platform continuously tunes itself — scoring rules, enrichment ranking, prompt templates, compound-signal patterns — against real outcomes. Every autonomous change passes a safety counselor before it ships.
FCRA terms blocked at every mutation
The counselor rejects any autonomous change that would introduce a credit, bankruptcy, employment, or other FCRA-regulated field. Compliance is non-negotiable — not even internal proposals can bypass it.
Improvement-gated promotion
A new scoring prompt or signal rule only replaces the current version if it beats the current accuracy on a minimum sample of real, outcome-labeled traces — measured on your traffic, not a synthetic benchmark.
Bounded edit distance
No autonomous change can wholesale replace a scoring rule or prompt. The counselor caps how much can change in a single promotion, so drift is small, traceable, and reversible.
Full lineage + one-click rollback
Every autonomous change records its before/after state, the sample size it was evaluated on, and its provenance. If a new version drifts, rollback to the last known-good version is one action.
Human-gated where risk is non-zero
New compound-signal definitions, new FCRA classifications, consent-tier changes, and pricing-rule edits never auto-apply. The system proposes; humans approve.
Audit trail for every change
Autonomous promotions, rejections, and rollbacks all emit structured log entries. Enterprise legal + DPO teams get a complete record of what changed, when, and why.
FCRA Compliance Statement
SIE Data is NOT a Consumer Reporting Agency. We do not produce consumer reports as defined by 15 U.S.C. § 1681a(d).
We provide
Signals, not scores
We enable
Intent, not eligibility
We serve
Markets, not credit files
Permanently blocked fields (no buyer certification unlocks these):
Security Architecture
Defense-in-depth from encryption at rest to network-level enforcement.
AES-256-GCM Encryption
All PII encrypted at rest with AES-256-GCM. Unique nonces per record. Keys rotated quarterly.
JWT + HMAC-SHA256 Auth
30-minute access tokens, 7-day refresh tokens. API keys authenticated via HMAC-SHA256.
PII SHA-256 Hashing
Consumer identifiers are SHA-256 hashed with server salt before storage. No reversible PII in analytics.
Re-Identification Blocker
Automated k-anonymity enforcement. Signals suppressed if cohort size falls below threshold.
TLS 1.3 In Transit
All API endpoints enforce TLS 1.3. HSTS enabled. Certificate transparency logged.
SOC 2-Aligned Controls
Infrastructure, access controls, and monitoring aligned to SOC 2 framework. Type II audit in progress. Request our security questionnaire at [email protected].
Buyer Compliance Dashboard
Every contact you reveal passes our 7-stage compliance pipeline. View real-time compliance status, export audit trails, and verify data provenance at /buyer/compliance.
SOC 2 Trust Services Criteria — Controls Mapping
How our live controls map to the five AICPA Trust Services Criteria a SOC 2 audit evaluates. We do not claim certification — “SOC 2-Aligned” means these controls implement the framework today. A Type II audit is in progress.
Security (Common Criteria)
AES-256-GCM at rest · TLS 1.3 in transit · JWT + HMAC-SHA256 auth · RBAC least-privilege + MFA · quarterly key rotation
Availability
US multi-region infrastructure (AWS, GCP, Vercel CDN) · Upstash caching · health-dependency monitoring · cross-region DR backup chain
Processing Integrity
Signed, tamper-evident audit chain · 7-stage compliance pipeline on every reveal · 15-section signal provenance · idempotent, refund-proof billing
Confidentiality
PII SHA-256 hashing with server salt · row-level security (RLS) · k-anonymity re-identification blocker · encryption everywhere
Privacy
TCF v2.2 consent for consumer signals · DROP / DELETE Act deletion SLA · DNC + suppression enforcement · FCRA firewall · CCPA/CPRA + GDPR
Data Practices
Transparency in what we collect, how long we keep it, and how fast we delete it.
What We Collect
- Behavioral intent signals (page visits, dwell time, scroll depth)
- Public record data (permits, filings, licenses)
- Zero-party data (self-declared preferences, form submissions)
- B2B firmographic data (company size, industry, tech stack)
Retention Periods
- Consumer behavioral data: 90 days
- B2B intent signals: 365 days
- Compliance audit logs: 7 years
- Account data: Duration of relationship + 30 days
Deletion SLA
- Consumer deletion requests: 24 hours
- DROP platform sync: Real-time
- Downstream buyer notification: 48 hours
- Full purge confirmation: 72 hours
Sub-Processors
Complete list of third-party services that process data on our behalf. Updated quarterly.
| Provider | Purpose | Location | Type |
|---|---|---|---|
| Supabase | Primary database (leads, auth, compliance) | US (AWS us-east-1) | Infrastructure |
| Railway | API hosting and compute | US (GCP us-west1) | Infrastructure |
| AWS (RDS + S3) | Directory database, invoice storage | US (us-east-1) | Infrastructure |
| Vercel | Dashboard and static site hosting | US (Global CDN) | Infrastructure |
| Zoho | Transactional email (SMTP), accounting | US | Business Operations |
| Stripe | Payment processing | US | Billing |
| Anthropic | AI-powered signal classification | US | AI/ML |
| Email verification provider | Email verification and enrichment | EU (France) | Enrichment |
| Proprietary Pipeline | Public records aggregation | US | Data Collection |
| Upstash | Redis caching layer | US (AWS us-east-1) | Infrastructure |
Security Questionnaire FAQ
Common questions from enterprise procurement and security teams.
What is your SOC 2 status?
Our infrastructure, access controls, and monitoring are aligned to the SOC 2 framework. We are currently undergoing a Type II audit with an independent auditor. Contact [email protected] to request our security questionnaire or controls documentation.
When was your last penetration test?
We conduct penetration testing on a quarterly basis. Results and remediation reports are available under NDA for enterprise customers during procurement review.
Do you carry cyber liability insurance?
Yes. We maintain cyber liability and errors & omissions insurance. Coverage details are available upon request during enterprise onboarding.
Where is data stored and processed?
All primary data processing occurs in US-based data centers (AWS us-east-1, GCP us-west1). No consumer PII is transferred outside the United States. See our sub-processor list for full details.
Are you a Consumer Reporting Agency under FCRA?
No. SIE Data is NOT a Consumer Reporting Agency. We do not collect, store, or distribute any FCRA-regulated data. Our FCRA firewall permanently blocks all regulated fields at the infrastructure level. We provide marketing intent signals only.
How do you handle deletion requests?
Consumer deletion requests are processed within 24 hours via our DROP platform integration, direct API, or email. We notify downstream buyers within 48 hours and confirm full purge within 72 hours.
Can we review your data processing agreement (DPA)?
Yes. We provide a standard DPA aligned with CCPA/CPRA and GDPR requirements. Enterprise customers can request custom DPA terms. Contact [email protected] to initiate.
What access controls do you have in place?
Role-based access control (RBAC) with principle of least privilege. All access is logged and auditable. MFA is enforced for all internal systems. API keys use HMAC-SHA256 with automatic rotation.
Contact Our Security Team
Have questions about our security posture? Need documentation for your vendor review? Reach out.
Security Inquiries
[email protected]
Pen test reports, SOC 2 docs, vendor questionnaires
Privacy Requests
[email protected]
DPA review, CCPA/GDPR requests, deletion
Data Protection Officer
[email protected]
GDPR inquiries, cross-border transfers
Ready to evaluate SIE Data for your organization?
Start a free 30-day pilot with full compliance documentation included.