Specky
Features
PricingBlog
Log inBook demoStart trial
Trust centre

Security & Trust Centre

Everything your security team needs to evaluate Specky. SOC 2 alignment, GDPR/CCPA compliance, encryption details, data residency, sub-processors, DPA, and incident response.

Request SOC 2 reportRequest DPA
Jump to:CertificationsData & PrivacyInfrastructureAccess ControlSub-processorsIncident ResponseFAQ
Certifications

Compliance status

We continuously align with leading security frameworks. Below is the current status of each certification or compliance regime.

Aligned

SOC 2 Type II

Security controls mapped to SOC 2 Trust Service Criteria. Independent audit report available under NDA for enterprise evaluations. Full Type II certification in progress.

Request report
Compliant

GDPR (EU)

Full compliance with the EU General Data Protection Regulation. Data Processing Agreement (Art. 28) available. All data subject rights (Art. 15–20) are self-serviceable from workspace settings.

Request DPA
Compliant

UK GDPR

Aligned with UK GDPR (retained from the EU GDPR post-Brexit). International Data Transfer Agreements (IDTA) available for UK-to-non-UK transfers.

Compliant

CCPA / CPRA

Compliant with the California Consumer Privacy Act and California Privacy Rights Act. Opt-out mechanisms, data deletion, and right-to-know requests supported.

Roadmap

ISO 27001

ISO 27001 Information Security Management System certification is on the roadmap for 2026. Controls are being implemented to meet the standard.

On request

HIPAA

BAA (Business Associate Agreement) available for healthcare customers processing protected health information (PHI). Contact us to discuss HIPAA-compliant deployment options.

Discuss BAA
Data & privacy

How we handle your data

Your product data is sensitive. Here's a precise account of where it goes, who can see it, and how it's protected.

Does Specky train AI models on my data?
No — never. Your workspace data is never used to train any AI model, including models from our providers (Google, Anthropic, OpenAI). Every AI call is scoped to your session only. This is contractually guaranteed in our Terms of Service and DPA.
Where is my data stored?
All workspace data is stored exclusively in the EU on Supabase infrastructure in Frankfurt, Germany. Your data never leaves the EU. Residency certificates are available on request for enterprise customers.
What are my GDPR rights?
All GDPR rights (Art. 15–20) are self-serviceable from your workspace Settings → Privacy & Data: right of access (data export), right to erasure (account deletion with 30-day grace period), right to data portability (JSON export), and consent management. You don't need to email us.
How long is my data retained?
Active workspace data is retained for the duration of your subscription. Deleted data is purged within 30 days. Audit logs are retained for 2 years per SOC 2 requirements, then anonymised. Backups are retained for 30 days.
Do you have a Data Processing Agreement (DPA)?
Yes. A standard DPA (GDPR Art. 28 compliant) is available immediately upon request. For enterprise customers, we support custom DPAs and can accommodate additional standard contractual clauses (SCCs) for international transfers. Email security@specky.space.
Who are your sub-processors?
We maintain a sub-processor list (see below). Core sub-processors are: Supabase (database, Auth, storage — EU, Frankfurt), Vercel (compute — US), Google Generative AI (AI inference — US), PostHog (analytics — EU or US, opt-in), Stripe (billing — US). No sub-processor has access to your workspace content data.
Infrastructure

Infrastructure & encryption

Specky is built on managed, enterprise-grade infrastructure with defence-in-depth encryption at every layer.

Encryption at rest

  • AES-256-GCM encryption on all stored data
  • Row-level security (RLS) enforced on every database query
  • Encryption keys managed by Supabase Vault
  • Separate encryption keys per workspace (enterprise)

Encryption in transit

  • TLS 1.3 on all client-server connections
  • HSTS enforced (2-year max-age, preload)
  • Certificate Transparency monitoring
  • Perfect Forward Secrecy (PFS) on all sessions

Infrastructure

  • Hosted on Supabase (PostgreSQL) + Vercel Edge
  • EU availability zone (Frankfurt, Germany)
  • 99.9% uptime SLA (enterprise: 99.95%)
  • Daily automated backups, 30-day retention

Monitoring & availability

  • 24/7 infrastructure monitoring and alerting
  • Real-time anomaly detection on auth events
  • Health check endpoint for external monitoring
  • Status page: status.specky.space
Access control

Identity & access management

Specky supports multiple auth methods and fine-grained access control to match your security posture.

Authentication

  • Email + password (bcrypt hashed)
  • Google OAuth 2.0
  • SSO / SAML 2.0 (Enterprise)
  • Magic link (passwordless)
  • MFA via TOTP authenticator apps

Workspace roles

  • Owner — full admin access
  • Admin — manage members & settings
  • Editor — create & edit content
  • Viewer — read-only access
  • Custom roles (Enterprise)

Session management

  • JWT tokens with short expiry (1hr)
  • Refresh token rotation on every use
  • Force-logout all sessions (self-serve)
  • Admin session revocation
  • Device tracking & audit logging

API security

  • Scoped API keys per integration
  • API key rotation without downtime
  • Rate limiting on all endpoints
  • HMAC-signed webhook payloads
  • IP allowlisting (Enterprise)

Audit logging

  • Immutable log of all auth events
  • Data access & export events
  • Admin & settings changes
  • AI interaction logging
  • Export to SIEM / splunk (Enterprise)

Enterprise SSO

  • SAML 2.0 IdP support
  • Works with Okta, Azure AD, Google Workspace
  • SCIM provisioning for user lifecycle
  • JIT (just-in-time) provisioning
  • Custom attribute mapping
Sub-processors

Third-party sub-processors

We maintain a complete list of sub-processors with access to customer data. We notify customers 30 days before adding a new sub-processor. Last updated: April 2026.

ProcessorPurposeData locationData type
SupabaseDatabase, Auth, StorageEU (Frankfurt, Germany)All workspace data
VercelCompute & Edge NetworkGlobal CDN, US originRequest logs (transient)
Google Generative AIAI inference (Gemini)USPrompt content (not stored)
StripePayment processingUSBilling & payment info
PostHogProduct analytics (opt-in)EU or US (your choice)Usage events (anonymised)
ResendTransactional emailUSEmail address, notification content
Google AnalyticsMarketing analytics (opt-in)USAnonymised page views

Want the full sub-processor list with DPA annexes? Email security@specky.space

Incident response

Incident response & disclosure

We take security incidents seriously. Here's what happens when something goes wrong.

Breach notification

We notify affected customers within 72 hours of confirming a data breach, meeting GDPR Art. 33/34 and CCPA requirements. Notification includes nature of the incident, data affected, and remediation steps.

Response SLAs

Critical security incidents: 1-hour initial response, 4-hour containment target. High-severity issues: 4-hour response, 24-hour resolution target. All security issues: 5 business days.

Vulnerability disclosure

We operate a responsible disclosure programme. If you find a vulnerability, email security@specky.space with details. We'll respond within 2 business days and credit you in our Hall of Fame if you wish.

Penetration testing

Annual third-party penetration tests are conducted by an independent security firm. Summary reports are available to enterprise customers under NDA. Our last test was completed January 2026.

FAQ

Security FAQ

Can I use Specky if I'm subject to HIPAA?
Yes, with a signed Business Associate Agreement (BAA). Contact security@specky.space to discuss HIPAA-eligible deployment. Note: standard plans do not include a BAA — it must be arranged before any PHI is processed.
Do you offer on-premise or VPC deployment?
Yes, for enterprise customers. We support single-tenant VPC deployment on AWS or GCP, as well as air-gapped on-premise options. Contact sales@specky.space to discuss requirements and pricing.
How do you handle AI sub-processors and data residency?
AI inference (Google Gemini) is processed in the US. Prompt data is not stored by Google and is not used for training under our business agreement. For customers requiring EU-only AI processing, we can route inference through an EU-based model — contact us to discuss.
Can I get a security questionnaire filled out?
Yes. Email security@specky.space with your questionnaire attached. We aim to return completed questionnaires within 5 business days. We've pre-answered the most common vendor risk assessment formats (SIG Lite, CAIQ, VSA).
What happens to my data if I cancel?
Your data is retained for 30 days after cancellation to allow re-activation or export. After 30 days, all workspace data is permanently deleted. You can trigger immediate deletion from Settings → Privacy & Data at any time.
How are API integrations secured?
OAuth tokens from integrations (Slack, Jira, GitHub, etc.) are encrypted at rest using AES-256 and stored separately from workspace content. We only request the minimum OAuth scopes needed. You can revoke any integration from the workspace settings at any time.

Still have security questions?

Our security team responds to all enquiries within one business day. We can provide SOC 2 reports, DPAs, completed security questionnaires, pen test summaries, and custom contractual arrangements.

Email security@specky.spacePrivacy policy

Last reviewed: April 2026 · Next review scheduled: October 2026

Specky

The AI-native product development environment. From scattered signals to shipped features — autonomously.

Product
Features
Pricing
Blog
Changelog
Security
For roles
Product Managers
CPOs
VPs of Product
Heads of Product
Growth PMs
Technical PMs
For teams
Founders
Solo Founders
Startups
B2B SaaS
Enterprise
Startup Program
Compare
All comparisons
vs Productboard
vs Jira
vs Notion
Integrations
All integrations
Chrome Extension
Notion
Miro
Slack Bot soon
CLI soon
For AI Agents new
Legal
Privacy
Terms
Imprint
Company
Why Specky
About
Jobs
© 2026 Specky. All rights reserved.