SOC 2 Type II, ISO 27001, GDPR, CCPA. EU data residency, SSO, encryption at rest and in transit. The same security stack used by Fortune 500 brands — available to every CustomFit customer, every plan. Our AI runs on your first-party data — never sold, never shared.
Annual independent audit
ISMS certified
Full DPA + EU data residency
Privacy rights honored
TLS 1.3 in transit, AES-256 at rest. Customer-managed keys available on Enterprise.
SSO/SAML, role-based access, fine-grained permissions, IP allowlisting on Enterprise.
Every dashboard action, API call, and flag change logged. SIEM export available.
Annual third-party pentest. Public bug bounty via HackerOne.
US, EU, or India regions. Customer chooses at signup; no cross-region traffic.
24/7 on-call. 99.9% uptime SLA on Enterprise. Public status page at status.customfit.ai.
Independently audited controls for security, availability & confidentiality.
Certified information-security management system.
EU data-protection aligned, with DPA & SCCs available.
California consumer-privacy compliant.
Regular third-party penetration testing; summary under NDA.
Signed DPA and a public sub-processor list on request.
Choose where data is processed to meet regional requirements.
Set how long event data is kept — down to your policy.
We don't sell or share visitor data. Ever.
SAML SSO and role-based access on business plans.
Honor data-subject deletion & export requests via API.
TLS in transit, AES-256 at rest.
CustomFit is built to enterprise security standards: SOC 2 Type II and ISO 27001 certified, GDPR and CCPA aligned, with encryption in transit and at rest, edge processing, configurable data residency and retention, and first-party-only data use. Your visitors' data stays yours — we never sell or share it.
TLS in transit, AES-256 at rest.
Fast, regional, residency-aware.
SSO & role-based permissions.
SOC 2 controls, logged & reviewed.
SOC 2, ISO, DPA & sub-processor list on request.
GDPR/CCPA tooling for access & deletion.
Data residency, SSO & the full security pack.
The SOC 2 report and DPA made our security review painless — CustomFit cleared procurement faster than any tool we've added.
CustomFit.ai security is built to enterprise standards: SOC 2 Type II and ISO 27001 certified, GDPR and CCPA aligned, with encryption in transit (TLS 1.3) and at rest (AES-256), edge processing, and configurable data residency and retention.
CustomFit uses first-party data only and never sells or shares your visitors' information. Access is controlled with SSO and role-based permissions, secrets are vaulted, and every API call is audit-logged so security and compliance teams have a complete trail.
For procurement, a SOC 2 report, DPA, and sub-processor list are available on request — the documentation that typically clears enterprise security reviews quickly. Data residency options help teams meet regional requirements without compromise.
Yes — CustomFit is SOC 2 Type II and ISO 27001 certified, and GDPR and CCPA aligned, with a SOC 2 report and DPA available on request.
No. CustomFit uses first-party data only and never sells or shares visitor data; you control retention and residency.
Data is encrypted in transit with TLS 1.3 and at rest with AES-256, with vaulted secrets and full audit logging.
On audited cloud infrastructure with regional options. We can process data in your required region to meet residency requirements — ask us for specifics for your market.
No. CustomFit uses first-party data solely to deliver your experiences and analytics. We never sell, rent, or share visitor data with third parties.
Yes. A signed Data Processing Agreement and our current sub-processor list are available on request, along with SCCs for international transfers.
We support data-subject access, export, and deletion through our API and dashboard so you can fulfill GDPR/CCPA requests promptly.
No. Marketers build experiments and personalized experiences in a no-code visual editor; developers can use the API and SDKs when they want deeper control.
SOC 2 report, ISO certificate, pentest summary, DPA — all available under NDA.