Security & Trust Centre
Everything your security team needs to evaluate Specky. SOC 2 alignment, GDPR/CCPA compliance, encryption details, data residency, sub-processors, DPA, and incident response.
Compliance status
We continuously align with leading security frameworks. Below is the current status of each certification or compliance regime.
SOC 2 Type II
Security controls mapped to SOC 2 Trust Service Criteria. Independent audit report available under NDA for enterprise evaluations. Full Type II certification in progress.
GDPR (EU)
Full compliance with the EU General Data Protection Regulation. Data Processing Agreement (Art. 28) available. All data subject rights (Art. 15–20) are self-serviceable from workspace settings.
UK GDPR
Aligned with UK GDPR (retained from the EU GDPR post-Brexit). International Data Transfer Agreements (IDTA) available for UK-to-non-UK transfers.
CCPA / CPRA
Compliant with the California Consumer Privacy Act and California Privacy Rights Act. Opt-out mechanisms, data deletion, and right-to-know requests supported.
ISO 27001
ISO 27001 Information Security Management System certification is on the roadmap for 2026. Controls are being implemented to meet the standard.
HIPAA
BAA (Business Associate Agreement) available for healthcare customers processing protected health information (PHI). Contact us to discuss HIPAA-compliant deployment options.
How we handle your data
Your product data is sensitive. Here's a precise account of where it goes, who can see it, and how it's protected.
Does Specky train AI models on my data?
Where is my data stored?
What are my GDPR rights?
How long is my data retained?
Do you have a Data Processing Agreement (DPA)?
Who are your sub-processors?
Infrastructure & encryption
Specky is built on managed, enterprise-grade infrastructure with defence-in-depth encryption at every layer.
Encryption at rest
- AES-256-GCM encryption on all stored data
- Row-level security (RLS) enforced on every database query
- Encryption keys managed by Supabase Vault
- Separate encryption keys per workspace (enterprise)
Encryption in transit
- TLS 1.3 on all client-server connections
- HSTS enforced (2-year max-age, preload)
- Certificate Transparency monitoring
- Perfect Forward Secrecy (PFS) on all sessions
Infrastructure
- Hosted on Supabase (PostgreSQL) + Vercel Edge
- EU availability zone (Frankfurt, Germany)
- 99.9% uptime SLA (enterprise: 99.95%)
- Daily automated backups, 30-day retention
Monitoring & availability
- 24/7 infrastructure monitoring and alerting
- Real-time anomaly detection on auth events
- Health check endpoint for external monitoring
- Status page: status.specky.space
Identity & access management
Specky supports multiple auth methods and fine-grained access control to match your security posture.
Authentication
- Email + password (bcrypt hashed)
- Google OAuth 2.0
- SSO / SAML 2.0 (Enterprise)
- Magic link (passwordless)
- MFA via TOTP authenticator apps
Workspace roles
- Owner — full admin access
- Admin — manage members & settings
- Editor — create & edit content
- Viewer — read-only access
- Custom roles (Enterprise)
Session management
- JWT tokens with short expiry (1hr)
- Refresh token rotation on every use
- Force-logout all sessions (self-serve)
- Admin session revocation
- Device tracking & audit logging
API security
- Scoped API keys per integration
- API key rotation without downtime
- Rate limiting on all endpoints
- HMAC-signed webhook payloads
- IP allowlisting (Enterprise)
Audit logging
- Immutable log of all auth events
- Data access & export events
- Admin & settings changes
- AI interaction logging
- Export to SIEM / splunk (Enterprise)
Enterprise SSO
- SAML 2.0 IdP support
- Works with Okta, Azure AD, Google Workspace
- SCIM provisioning for user lifecycle
- JIT (just-in-time) provisioning
- Custom attribute mapping
Third-party sub-processors
We maintain a complete list of sub-processors with access to customer data. We notify customers 30 days before adding a new sub-processor. Last updated: April 2026.
| Processor | Purpose |
|---|---|
| Supabase | Database, Auth, Storage |
| Vercel | Compute & Edge Network |
| Google Generative AI | AI inference (Gemini) |
| Stripe | Payment processing |
| PostHog | Product analytics (opt-in) |
| Resend | Transactional email |
| Google Analytics | Marketing analytics (opt-in) |
Want the full sub-processor list with DPA annexes? Email security@specky.space
Incident response & disclosure
We take security incidents seriously. Here's what happens when something goes wrong.
Breach notification
We notify affected customers within 72 hours of confirming a data breach, meeting GDPR Art. 33/34 and CCPA requirements. Notification includes nature of the incident, data affected, and remediation steps.
Response SLAs
Critical security incidents: 1-hour initial response, 4-hour containment target. High-severity issues: 4-hour response, 24-hour resolution target. All security issues: 5 business days.
Vulnerability disclosure
We operate a responsible disclosure programme. If you find a vulnerability, email security@specky.space with details. We'll respond within 2 business days and credit you in our Hall of Fame if you wish.
Penetration testing
Annual third-party penetration tests are conducted by an independent security firm. Summary reports are available to enterprise customers under NDA. Our last test was completed January 2026.
Security FAQ
Can I use Specky if I'm subject to HIPAA?
Do you offer on-premise or VPC deployment?
How do you handle AI sub-processors and data residency?
Can I get a security questionnaire filled out?
What happens to my data if I cancel?
How are API integrations secured?
Still have security questions?
Our security team responds to all enquiries within one business day. We can provide SOC 2 reports, DPAs, completed security questionnaires, pen test summaries, and custom contractual arrangements.
Last reviewed: April 2026 · Next review scheduled: October 2026