Security

Your infrastructure. Your data. Zero compromise.

Datafly Signal is designed to deploy in your own cloud account. Single-tenant isolation, end-to-end encryption, and complete data sovereignty — with Datafly having zero access to your infrastructure or data.

Deployed in your infrastructure

Datafly Signal is designed to run in your own cloud account. Deploy on GCP, AWS, or Azure using Helm charts and Kubernetes. Your data never leaves your VPC — Datafly has zero access to your infrastructure, data, or credentials. This is the recommended deployment model for enterprise customers.

  • Deploy via Helm charts into your own Kubernetes cluster
  • GCP, AWS, Azure — any cloud, any region
  • Datafly has zero access to your data or infrastructure
  • Full operational control — you own the deployment
  • Docker Compose for development and testing
  • Hybrid option available: Datafly manages control plane, you own data plane

Single-tenant isolation

Every deployment is fully isolated. Your data never shares infrastructure, compute, or storage with anyone else. There is no noisy-neighbour risk and no blast radius from another tenant.

  • Dedicated namespace per customer with network policies
  • Isolated databases — no shared tables, no shared connections
  • Independent scaling and resource allocation
  • Optional dedicated cluster for maximum isolation

First-party data sovereignty

All data flows through your own subdomain via DNS A records — not CNAME aliases that can be detected and blocked. Data is processed in your cluster. Vendor API credentials are stored in your infrastructure, not ours.

  • DNS A record pointing to your cluster IP
  • Data processed and stored in your infrastructure
  • No data passes through Datafly-owned servers
  • Full compliance with data residency requirements

Encryption & key management

All data is encrypted in transit and at rest using AES-256-GCM. Enterprise customers can use envelope encryption with their own cloud KMS — the plaintext key only exists in memory at runtime, never on disk. Zero-downtime key rotation with full audit trail.

  • TLS 1.3 for all data in transit (minimum TLS 1.2)
  • AES-256-GCM encryption for all data at rest
  • Envelope encryption with GCP, AWS, Azure KMS or HashiCorp Vault
  • Zero-downtime key rotation with dual-key mechanism
  • Mandatory encryption mode — services refuse to start without valid keys
  • Crypto health checks integrated into Kubernetes readiness probes
  • Full audit trail for all cryptographic operations
  • PCI-DSS, SOC 2, ISO 27001, and FCA/PRA compliant key management

Access control

Fine-grained role-based access control with five distinct roles. Integrate with your existing identity provider via SAML or OIDC for single sign-on, with optional multi-factor authentication.

  • OrgAdmin — full organisation control
  • SourceAdmin — manage sources and integrations
  • SourceEditor — configure pipelines and transformations
  • SourceViewer — read-only access to source data
  • DataGovernanceAdmin — manage PII rules and consent
  • SSO via SAML 2.0 and OpenID Connect
  • Multi-factor authentication support

Audit logging

Every configuration change is recorded with who made the change, when it happened, and the full before-and-after diff. The audit trail is immutable and cannot be edited or deleted by any user, including administrators.

  • Full before/after diffs for every configuration change
  • User attribution with timestamp and IP address
  • Immutable audit trail — no edits, no deletions
  • Searchable and exportable for compliance reporting

Consent architecture

Consent is enforced at two layers: first at data collection in the browser by Datafly.js, and again at delivery by the Delivery Workers. Even if a misconfiguration allows an event through, the second layer catches it before data reaches any vendor.

  • Client-side enforcement in Datafly.js collector
  • Server-side enforcement in Delivery Workers
  • Consent-gated vendor identity syncs
  • Per-vendor consent category mapping
  • Supports all major Consent Management Platforms

Credential security

Vendor API credentials — keys, secrets, tokens — are stored in your cluster's secure configuration store. They are never included in browser JavaScript, never exposed in client-side code, and never transmitted to Datafly.

  • Credentials stored in your cluster config, not ours
  • Never embedded in client-side JavaScript
  • Server-proxied identity syncs keep secrets server-side
  • Rotatable without redeployment

Security is not an add-on. It is the architecture.

From single-tenant isolation to double consent enforcement, every layer of Datafly Signal is designed to keep your data safe, private, and under your control.

AES-256

Encryption at rest

TLS 1.3

Encryption in transit

5 KMS

Cloud key providers

0-down

Key rotation

Ready to take control of your data?

See how Datafly Signal's security-first architecture protects your customer data while delivering it to the vendors you need.

Request a DemoView Platform