Trust Center

Built on compliance, security, and transparency. Everything enterprise procurement teams need to evaluate SIE Data as a vendor.

Compliance Certifications

Regulatory compliance is not optional — it is the foundation of every system we build.

Active

CA CPPA Registered

Registered with California Privacy Protection Agency as a data broker under SB 362 (DELETE Act).

Active

DELETE Act Compliant

Full DROP platform integration. Consumer deletion requests processed within 24 hours.

Enforced

FCRA Firewall

Hardware-level blocking of all FCRA-regulated fields. Zero exceptions, zero overrides.

Compliant

CCPA / CPRA

Full California Consumer Privacy Act compliance including opt-out, deletion, and data portability.

Compliant

GDPR

Legitimate interest (Art. 6(1)(f)) for B2B data. Explicit consent (TCF v2.2) for consumer data.

FCRA Compliance Statement

SIE Data is NOT a Consumer Reporting Agency. We do not produce consumer reports as defined by 15 U.S.C. § 1681a(d).

We provide

Signals, not scores

We enable

Intent, not eligibility

We serve

Markets, not credit files

Permanently blocked fields (no buyer certification unlocks these):

credit_scorefico_scorebankruptcypayment_historycollectionsemployment_historyrental_historycriminal_record

Security Architecture

Defense-in-depth from encryption at rest to network-level enforcement.

AES-256-GCM Encryption

All PII encrypted at rest with AES-256-GCM. Unique nonces per record. Keys rotated quarterly.

JWT + HMAC-SHA256 Auth

30-minute access tokens, 7-day refresh tokens. API keys authenticated via HMAC-SHA256.

PII SHA-256 Hashing

Consumer identifiers are SHA-256 hashed with server salt before storage. No reversible PII in analytics.

Re-Identification Blocker

Automated k-anonymity enforcement. Signals suppressed if cohort size falls below threshold.

TLS 1.3 In Transit

All API endpoints enforce TLS 1.3. HSTS enabled. Certificate transparency logged.

SOC 2 Controls

Infrastructure, access controls, and monitoring aligned to SOC 2 framework. Type II audit in progress. Request our security questionnaire at [email protected].

Buyer Compliance Dashboard

Every contact you reveal passes our 7-stage compliance pipeline. View real-time compliance status, export audit trails, and verify data provenance at /buyer/compliance.

Data Practices

Transparency in what we collect, how long we keep it, and how fast we delete it.

What We Collect

Behavioral intent signals (page visits, dwell time, scroll depth)
Public record data (permits, filings, licenses)
Zero-party data (self-declared preferences, form submissions)
B2B firmographic data (company size, industry, tech stack)

Retention Periods

Consumer behavioral data: 90 days
B2B intent signals: 365 days
Compliance audit logs: 7 years
Account data: Duration of relationship + 30 days

Deletion SLA

Consumer deletion requests: 24 hours
DROP platform sync: Real-time
Downstream buyer notification: 48 hours
Full purge confirmation: 72 hours

Sub-Processors

Complete list of third-party services that process data on our behalf. Updated quarterly.

Provider	Purpose	Location	Type
Supabase	Primary database (leads, auth, compliance)	US (AWS us-east-1)	Infrastructure
Railway	API hosting and compute	US (GCP us-west1)	Infrastructure
AWS (RDS + S3)	Directory database, invoice storage	US (us-east-1)	Infrastructure
Vercel	Dashboard and static site hosting	US (Global CDN)	Infrastructure
Zoho	Transactional email (SMTP), accounting	US	Business Operations
Stripe	Payment processing	US	Billing
Anthropic	AI-powered signal classification	US	AI/ML
Email verification provider	Email verification and enrichment	EU (France)	Enrichment
Proprietary Pipeline	Public records aggregation	US	Data Collection
Upstash	Redis caching layer	US (AWS us-east-1)	Infrastructure

Security Questionnaire FAQ

Common questions from enterprise procurement and security teams.

What is your SOC 2 status?

Our infrastructure, access controls, and monitoring are aligned to the SOC 2 framework. We are currently undergoing a Type II audit with an independent auditor. Contact [email protected] to request our security questionnaire or controls documentation.

When was your last penetration test?

We conduct penetration testing on a quarterly basis. Results and remediation reports are available under NDA for enterprise customers during procurement review.

Do you carry cyber liability insurance?

Yes. We maintain cyber liability and errors & omissions insurance. Coverage details are available upon request during enterprise onboarding.

Where is data stored and processed?

All primary data processing occurs in US-based data centers (AWS us-east-1, GCP us-west1). No consumer PII is transferred outside the United States. See our sub-processor list for full details.

Are you a Consumer Reporting Agency under FCRA?

No. SIE Data is NOT a Consumer Reporting Agency. We do not collect, store, or distribute any FCRA-regulated data. Our FCRA firewall permanently blocks all regulated fields at the infrastructure level. We provide marketing intent signals only.

How do you handle deletion requests?

Consumer deletion requests are processed within 24 hours via our DROP platform integration, direct API, or email. We notify downstream buyers within 48 hours and confirm full purge within 72 hours.

Can we review your data processing agreement (DPA)?

Yes. We provide a standard DPA aligned with CCPA/CPRA and GDPR requirements. Enterprise customers can request custom DPA terms. Contact [email protected] to initiate.

What access controls do you have in place?

Role-based access control (RBAC) with principle of least privilege. All access is logged and auditable. MFA is enforced for all internal systems. API keys use HMAC-SHA256 with automatic rotation.

Contact Our Security Team

Have questions about our security posture? Need documentation for your vendor review? Reach out.

Ready to evaluate SIE Data for your organization?

Start a free 30-day pilot with full compliance documentation included.

Start Free Pilot Privacy Policy Terms of Service