Security

Your infrastructure. Your data. Zero compromise.

Datafly Signal is designed to deploy in your own cloud account. Single-tenant isolation, end-to-end encryption, and complete data sovereignty — with Datafly having zero access to your infrastructure or data.

Deployed in your infrastructure

Datafly Signal is designed to run in your own cloud account. Deploy on GCP, AWS, or Azure using Helm charts and Kubernetes. Your data never leaves your VPC — Datafly has zero access to your infrastructure, data, or credentials. This is the recommended deployment model for enterprise customers.

  • Deploy via Helm charts into your own Kubernetes cluster
  • GCP, AWS, Azure — any cloud, any region
  • Datafly has zero access to your data or infrastructure
  • Full operational control — you own the deployment
  • Docker Compose for development and testing
  • Hybrid option available: Datafly manages control plane, you own data plane

Single-tenant by definition

Customer-hosted Signal deployments are single-tenant because there is nobody else in your environment. Your deployment runs in your VPC, in your cloud account, on infrastructure that belongs to you. There is no shared infrastructure, no noisy-neighbour risk, and no cross-tenant blast radius — because there are no other tenants. For organisations that prefer a managed deployment, Datafly-hosted Signal provides namespace isolation per customer with network policies, isolated databases, and the option of a dedicated cluster.

  • Customer-hosted: single-tenant by definition — your VPC, your cluster, your data
  • Customer-hosted: zero shared infrastructure with any other organisation
  • Customer-hosted: Datafly has no access unless you explicitly grant it
  • Datafly-hosted: dedicated namespace per customer with network policies
  • Datafly-hosted: isolated databases — no shared tables, no shared connections
  • Datafly-hosted: optional dedicated cluster for the highest isolation requirements

First-party data sovereignty

All data flows through your own subdomain via DNS A records — not CNAME aliases that can be detected and blocked. Data is processed in your cluster. Vendor API credentials are stored in your infrastructure, not ours.

  • DNS A record pointing to your cluster IP
  • Data processed and stored in your infrastructure
  • No data passes through Datafly-owned servers
  • Full compliance with data residency requirements

Encryption & key management

All data is encrypted in transit and at rest using AES-256-GCM. Enterprise customers can use envelope encryption with their own cloud KMS — the plaintext key only exists in memory at runtime, never on disk. Zero-downtime key rotation with full audit trail.

  • TLS 1.3 for all data in transit (minimum TLS 1.2)
  • AES-256-GCM encryption for all data at rest
  • Envelope encryption with GCP, AWS, Azure KMS or HashiCorp Vault
  • Zero-downtime key rotation with dual-key mechanism
  • Mandatory encryption mode — services refuse to start without valid keys
  • Crypto health checks integrated into Kubernetes readiness probes
  • Full audit trail for all cryptographic operations
  • Key management aligned to PCI-DSS, SOC 2, ISO 27001, and FCA/PRA control requirements — your cloud provider's certifications apply at the infrastructure layer

Access control

Fine-grained role-based access control with five distinct roles. Integrate with your existing identity provider via SAML or OIDC for single sign-on, with optional multi-factor authentication.

  • OrgAdmin — full organisation control
  • SourceAdmin — manage sources and integrations
  • SourceEditor — configure pipelines and transformations
  • SourceViewer — read-only access to source data
  • DataGovernanceAdmin — manage PII rules and consent
  • SSO via SAML 2.0 and OpenID Connect
  • Multi-factor authentication support

Audit logging

Every configuration change is recorded with who made the change, when it happened, and the full before-and-after diff. The audit trail is immutable and cannot be edited or deleted by any user, including administrators.

  • Full before/after diffs for every configuration change
  • User attribution with timestamp and IP address
  • Immutable audit trail — no edits, no deletions
  • Searchable and exportable for compliance reporting

Consent architecture

Consent is enforced at two layers: first at data collection in the browser by Datafly.js, and again at delivery by the Delivery Workers. Even if a misconfiguration allows an event through, the second layer catches it before data reaches any vendor.

  • Client-side enforcement in Datafly.js collector
  • Server-side enforcement in Delivery Workers
  • Consent-gated vendor identity syncs
  • Per-vendor consent category mapping
  • Supports all major Consent Management Platforms

Credential security

Vendor API credentials — keys, secrets, tokens — are stored in your cluster's secure configuration store. They are never included in browser JavaScript, never exposed in client-side code, and never transmitted to Datafly.

  • Credentials stored in your cluster config, not ours
  • Never embedded in client-side JavaScript
  • Server-proxied identity syncs keep secrets server-side
  • Rotatable without redeployment
Compliance

Compliance is a shared responsibility

Datafly Signal runs in your cloud account, so your existing compliance certifications cover the infrastructure layer. We provide the software and the controls. You own the deployment and inherit the certifications you already hold for your cloud environment.

This is fundamentally different from multi-tenant SaaS. With shared platforms, you depend on the vendor’s certifications, the vendor’s data centres, and the vendor’s audit boundary. With Signal, your AWS, GCP, or Azure environment carries the certifications — and Signal inherits them by virtue of running inside your boundary.

Cloud infrastructure
AWS · GCP · Azure
SOC 2 · ISO 27001 · PCI-DSS · HIPAA · FedRAMP

Owned by your cloud provider

Signal deployment
VPC · Network policies · IAM
Secrets · Deployment pipeline · Access review

Owned by your operations team

Signal software
AES-256 · RBAC · Audit · Consent
PII · Secure SDLC · Pen testing

Owned by Datafly

Datafly’s organisational certifications

Datafly Ltd’s own certifications cover our development and delivery operations — the people, processes, and systems we use to build, ship, and support Signal.

  • ISO 27001 in progress — prioritised given our EMEA enterprise customer base
  • SOC 2 Type II in progress — for North American enterprise readiness
  • Our security whitepaper documents the full control set, audit boundaries, and ongoing certification roadmap

For enterprise procurement teams, request the security whitepaper alongside your demo. We’re happy to walk through the control mapping, the certification roadmap, and how Signal’s customer-hosted architecture changes the procurement conversation.

Request the Security Whitepaper

Security is not an add-on. It is the architecture.

From single-tenant isolation to double consent enforcement, every layer of Datafly Signal is designed to keep your data safe, private, and under your control.

AES-256

Encryption at rest

TLS 1.3

Encryption in transit

5 KMS

Cloud key providers

0-down

Key rotation

Ready to take control of your data?

See how Datafly Signal's security-first architecture protects your customer data while delivering it to the vendors you need.

Request a DemoView Platform