Security

Enterprise-grade security by default

Single-tenant isolation, end-to-end encryption, and complete data sovereignty. Every deployment, every customer.

Single-tenant isolation

Every customer gets a dedicated Kubernetes namespace — or an entirely separate cluster. Your data never shares infrastructure, compute, or storage with anyone else. There is no noisy-neighbour risk and no blast radius from another tenant.

  • Dedicated namespace per customer with network policies
  • Isolated databases — no shared tables, no shared connections
  • Independent scaling and resource allocation
  • Optional dedicated cluster for maximum isolation

First-party data sovereignty

All data flows through your own subdomain via DNS A records — not CNAME aliases that can be detected and blocked. Data is processed in your cluster. Vendor API credentials are stored in your infrastructure, not ours.

  • DNS A record pointing to your cluster IP
  • Data processed and stored in your infrastructure
  • No data passes through Datafly-owned servers
  • Full compliance with data residency requirements

Encryption

All data is encrypted in transit and at rest. Cross-domain identity tokens use military-grade encryption with short-lived, single-use tokens that cannot be replayed.

  • TLS 1.3 for all data in transit (minimum TLS 1.2)
  • AES-256 encryption for all data at rest
  • Cross-domain tokens encrypted with AES-256-GCM
  • 60-second TTL with single-use nonces on identity tokens

Access control

Fine-grained role-based access control with five distinct roles. Integrate with your existing identity provider via SAML or OIDC for single sign-on, with optional multi-factor authentication.

  • OrgAdmin — full organisation control
  • SourceAdmin — manage sources and integrations
  • SourceEditor — configure pipelines and transformations
  • SourceViewer — read-only access to source data
  • DataGovernanceAdmin — manage PII rules and consent
  • SSO via SAML 2.0 and OpenID Connect
  • Multi-factor authentication support

Audit logging

Every configuration change is recorded with who made the change, when it happened, and the full before-and-after diff. The audit trail is immutable and cannot be edited or deleted by any user, including administrators.

  • Full before/after diffs for every configuration change
  • User attribution with timestamp and IP address
  • Immutable audit trail — no edits, no deletions
  • Searchable and exportable for compliance reporting

Consent architecture

Consent is enforced at two layers: first at data collection in the browser by Datafly.js, and again at delivery by the Delivery Workers. Even if a misconfiguration allows an event through, the second layer catches it before data reaches any vendor.

  • Client-side enforcement in Datafly.js collector
  • Server-side enforcement in Delivery Workers
  • Consent-gated vendor identity syncs
  • Per-vendor consent category mapping
  • Supports all major Consent Management Platforms

Credential security

Vendor API credentials — keys, secrets, tokens — are stored in your cluster's secure configuration store. They are never included in browser JavaScript, never exposed in client-side code, and never transmitted to Datafly.

  • Credentials stored in your cluster config, not ours
  • Never embedded in client-side JavaScript
  • Server-proxied identity syncs keep secrets server-side
  • Rotatable without redeployment

Customer-hosted option

Deploy Datafly Signal in your own VPC using our Helm charts. In this model, Datafly has zero access to your data, infrastructure, or credentials. You maintain full operational control.

  • Deploy via Helm charts into your own Kubernetes cluster
  • Datafly has no access to your data or infrastructure
  • Full operational control — you own the deployment
  • Available for AWS, GCP, and Azure

Security is not an add-on. It is the architecture.

From single-tenant isolation to double consent enforcement, every layer of Datafly Signal is designed to keep your data safe, private, and under your control.

AES-256

Encryption at rest

TLS 1.3

Encryption in transit

5 roles

RBAC access control

2-layer

Consent enforcement

Ready to take control of your data?

See how Datafly Signal's security-first architecture protects your customer data while delivering it to the vendors you need.

Request a DemoView Platform