Security at sarvaFeed

Your feedback, test data, and team collaboration belong to you. We protect it with the same discipline we expect from any tool we'd trust ourselves.

Cloud Security & Infrastructure

Where sarvaFeed runs and how the foundation is hardened.

The entire sarvaFeed platform is built on top of a tier-one public cloud provider, deployed across multiple availability zones in the regions you choose. Workloads automatically scale to meet demand and our cloud provider transparently brings up additional capacity when traffic increases.

Data is stored in managed database services that support point-in-time recovery, so we can roll back to a recent moment in the event of developer error or data corruption.

The cloud provider's underlying data centers carry independent certifications including SOC 1, SOC 2, ISO 27001, ISO 27017, ISO 27018, PCI DSS, and HIPAA. These attestations apply to the physical infrastructure that sarvaFeed runs on; we detail our own posture in the sections below.

Compliance & Certifications

Where we are today as an early-stage platform.

sarvaFeed is an early-stage platform. We are not yet pursuing formal third-party certifications such as SOC 2 or ISO 27001, nor do we currently claim compliance with regulatory frameworks like GDPR. We build to industry best practices today, and will publish audit reports and add regulatory programs as the company matures. Customers under NDA can request our current security questionnaire and policy summaries.

Physical Security

Controls at the data centers that host sarvaFeed.

Our cloud provider operates purpose-built data centers with redundant power, networking, and cooling.
Physical access is controlled by surveillance, detection systems, and other electronic means; entry to server rooms is monitored by closed-circuit television.
Staff access requires multi-factor authentication and is granted on a time-bound, least-privilege basis.
sarvaFeed employees do not have, and do not need, physical access to the underlying data centers.

Network & System Security

How traffic and servers are protected.

All connections to sarvaFeed use industrial-grade TLS 1.3 with strong cipher suites.
Customer data is encrypted at rest using AES-256. Encryption keys are managed by our cloud provider's key management service.
Production servers run hardened, regularly patched Linux images.
Administrative access to production systems is gated behind VPN, SSH keys, and multi-factor authentication, and is restricted to a small, named group of engineers.
Every request to production is logged with timestamp, identity, and source IP. Logs are retained centrally for review.
An intrusion detection system monitors continuously for known attacks and brute-force attempts, with 24x7x365 alerts for abnormal activity.
Inbound traffic is protected by our cloud provider's DDoS mitigation.
Encrypted automated backups, snapshots, and replicas are maintained on a regular schedule.

Application Security

How the products themselves are built and defended.

We rely on well-known, actively maintained open-source libraries and review them before adoption.
Every architectural change goes through an in-depth security review before it ships.
We run continuous dependency scanning, container image scanning, and static analysis on every commit. Pre-production environments are subjected to manual assessment and dynamic scanning.
User passwords are stored as one-way salted hashes. We enforce a minimum password length and complexity, and rate-limit login attempts to defend against brute force.
Two-factor authentication is available for all users and required for administrative actions on Business and Enterprise plans.
SAML 2.0 single sign-on is available on Business and Enterprise plans for federated authentication with your identity provider.
Role-based authorization controls every API call. What a user can see and do is determined by their role within each project.
Object-level audit logs capture user activity for review and investigation.

Organizational Security

The people, devices, and processes behind the platform.

All employees and contractors sign confidentiality agreements as a condition of engagement.
Security training is part of onboarding and is refreshed annually.
Company laptops and workstations are centrally managed with full-disk encryption, antivirus, and firewall enforcement.
Access to production systems, customer data, and secrets is granted on the principle of least privilege, scoped to the specific role, and reviewed on a regular cadence.
Production access for sensitive operations is limited to a small, named group of senior engineers.

Disaster Recovery

What happens when things go wrong.

Web tiers are self-healing: unhealthy instances are terminated automatically and replacements are brought up in another availability zone without manual intervention.
Our primary database runs with a synchronous standby replica in a separate availability zone. Failover is automatic and typically completes in under one minute.
Object storage is replicated across multiple facilities by our cloud provider for durability.
Encrypted snapshots are taken at least every 30 minutes and retained off-site according to a documented retention schedule.
We exercise our recovery procedures periodically to verify that backups are usable and that runbooks work end-to-end.

Availability

How we keep sarvaFeed up.

Every individual component of the platform is deployed in a high-availability configuration across multiple availability zones.
Our target for production services is 99.9% monthly availability. As we operate at scale we will publish a public status page with real-time component health and historical uptime.
Planned maintenance is communicated to customers in advance and scheduled to minimize impact.

Data Handling

Transparency about what we store, where, and for how long.

Data Residency

Production data is stored in secure data centers in the regions you choose. EU customers can request that data remain in the EU; enterprise customers can request other regional pinning where supported by our cloud provider.

Data Retention

We retain customer data for as long as your account is active. When you delete your account, we permanently remove or anonymize associated personal data within 30 days, except where retention is required by law. Encrypted backups are purged on their normal rotation schedule.

Subprocessors

We carefully vet every subprocessor and bind them by contractual confidentiality and data protection obligations. We maintain a current list of subprocessors and notify customers in advance of material changes. Contact privacy@sarvafeed.com for the full list.

Customer Content Ownership

You own the content you bring into sarvaFeed. We process it only to provide and improve the services you've asked for, and we never sell it. You can export your data at any time from within the product.

Responsible Disclosure

If you find a vulnerability, we want to hear about it.

We welcome reports from independent security researchers. If you believe you have discovered a security vulnerability in any sarvaFeed product or property, please email security@sarvafeed.com with a clear description and reproduction steps. We will acknowledge your report within one business day and keep you updated as we investigate.

Please act in good faith: avoid privacy violations, data destruction, and service degradation. We will not pursue legal action against researchers who follow these guidelines and give us reasonable time to remediate before public disclosure.

Questions about security?

Talk to our security team for questionnaires, DPAs, and architecture details.

Contact Security Team