Skip to main content

Security

How we build, run, and operate Smoov to protect your data.

Security infrastructure

  • Encryption at rest for all stored data; encryption in transit via TLS 1.2+ on every external endpoint.
  • Least-privilege access by default. Production credentials are scoped per-service; no shared admin keys.
  • Secure SDLC: dependency review, type-checking gates, secret scanning, and pre-merge automated checks on every change.

Operational security

  • Continuous error monitoring with PII scrubbing; structured request logs retained on a defined schedule.
  • Documented incident response with on-call coverage.
  • 72-hour breach notification commitment from confirmed incident to affected-customer notice. See breach notification.

Product security

  • Admin controls scoped to founder-level accounts only; all admin actions are append-only audit-logged.
  • Deletion cascade: when an account is deleted, related rows (listings, deals, subscriptions, signals) cascade or are irreversibly anonymized.
  • See /privacy/rights for our full data-handling policy.

Privacy

Detailed policies and processor disclosures: privacy policy, data processing agreement, subprocessors.

Compliance

See our compliance posture for active certifications, in-progress audits, and out-of-scope frameworks.

AI governance

See AI security and governance and trust & safety methodology.