Trust, designed for enterprise procurement.
Datafly Signal is customer-hosted by default. Your data stays inside your VPC — Datafly never processes it. Everything an enterprise security, legal, or procurement team needs to approve a vendor is on this page.
How we handle your data
Customer-hosted by default
The Signal platform is deployed via Helm into your own AWS, GCP, or Azure account. Datafly provides the code and manifests; you own the infrastructure, the Kubernetes cluster, the databases, and the data.
Zero Datafly access
In a Customer-Hosted deployment, no Datafly employee has network access to your Signal cluster, databases, or Kafka topics. Support is delivered through your own logs and screen-shares you control.
Single-tenant by design
Every customer runs its own isolated stack — one Kubernetes namespace, one PostgreSQL, one Kafka cluster, one Redis. No shared-tenancy path for customer data plane.
Certification roadmap
Datafly Signal is a young company — we’d rather be honest about where we are than claim certifications we don’t yet hold. Here’s the current state and the roadmap:
Cyber Essentials Plus
In progressTarget: Q3 2026UK-specific; the entry-level baseline expected by most UK enterprise buyers.
ISO 27001:2022
In progressTarget: Q4 2026Full ISMS audit in flight; narrow scope (Signal platform & corporate systems).
SOC 2 Type II
PlannedTarget: H1 2027Requires a 6-month observation window after ISO 27001 controls are in place.
GDPR / UK GDPR
CompliantOngoingDPA template available on request; Article 28 subprocessor terms apply; all data stays in customer VPC by default.
PCI-DSS / FCA / DORA / HIPAA
Architecture-compliantCustomer-specificSignal’s architecture is designed to meet the requirements of these frameworks, but formal certification is scope-specific to each customer’s deployment.
Subprocessors
In a Customer-Hosted deployment (the default), Signal runs entirely inside your VPC and has no subprocessors that touch your production data. Your cloud provider (AWS, GCP, or Azure) is your own choice and contract.
In a Hybrid or Datafly-Hosted deployment, Datafly uses the following subprocessors for the components we manage on your behalf:
| Subprocessor | Purpose | Region |
|---|---|---|
| Google Cloud (GCP) | Hybrid / Datafly-Hosted compute & storage | EU (default), US, APAC on request |
| Cloudflare | DNS, edge TLS termination for datafly.co and *.dataflysignal.com | Global anycast |
| Namecheap Inbox (email) | hello@ and support@ email delivery | EU |
Changes to this list are notified to affected customers at least 30 days before they take effect.
Security artefacts
The following documents are available to customers and serious prospects on request. Send us a note and we’ll respond within one business day.
Security Whitepaper
Architecture, encryption, key management, deployment models, and threat model. ~18 pages.
DPA (Data Processing Addendum)
Standard UK GDPR Article 28 DPA template. Customisable to your commercial terms.
SLA
Availability, latency, and incident-response commitments by tier.
Penetration Test Summary
Latest third-party pen-test executive summary (full report under NDA).
Incident reporting & disclosure
Security researchers and customers can report vulnerabilities to [email protected]. We aim to acknowledge within one business day and publish a resolution within 14 days for confirmed issues.
We do not currently run a public bug bounty — responsible disclosure is welcome and will be credited with your consent.
Need something not listed here?
Enterprise security reviews often require bespoke artefacts. Tell us what procurement needs and we will provide it or explain why we cannot.