Skip to content
catchotp

Trust

Security and infrastructure

How we protect your data. What we collect, how long we keep it, and who has access.

Hosted on
AWS us-east-1
Encryption
TLS 1.3 / AES-256 (KMS)
Backup
35-day PITR
SOC 2
Type II — in progress

Encryption

TLS 1.3 in transit. AES-256 at rest, with keys managed by AWS KMS. Customer-managed keys (CMK) are available on Enterprise. All inter-service communication inside our VPC is encrypted as well — no plaintext traffic, even on private networks.

Data retention

Message bodies live in DynamoDB and S3 for the duration of your plan retention window (24 hours on Free, up to 90 days on Team). Once expired, the bytes are deleted. Audit-log metadata (sender, timestamp, message ID, no body) is retained for 365 days for compliance and abuse investigation. Backups: 35-day point-in-time recovery via AWS-native PITR.

Access controls

Engineers access production via AWS SSO with MFA enforced. There are no shared accounts and no long-lived static credentials in our infrastructure. Every administrative action — viewing customer data, suspending accounts, querying logs — is recorded in an immutable audit log.

Compliance

GDPR-aligned. A Data Processing Agreement is available on request and is part of every paid contract by default. SOC 2 Type II audit is in progress with a target of Q3 2026. Our architecture is HIPAA-ready: BAAs are available for Enterprise customers in regulated verticals.

Subprocessors

AWS (us-east-1), Cloudflare (DNS + edge), and Stripe (billing). The full list — including data flows and DPA links — is published at /legal/subprocessors and is updated 30 days before any change.

Bug bounty and disclosure

Report security findings to security@catchotp.com. We acknowledge within 48 hours and we are friendly to responsible disclosure. We do not pursue researchers who follow standard disclosure norms. A formal bug-bounty program with bounties is on the roadmap.

Region

us-east-1 (Northern Virginia) at launch. An EU region (eu-west-1) is on the roadmap for customers with data-residency requirements. Customers can pin processing to either region once available.

Need a DPA, security questionnaire, or pen-test report?

Email security@catchotp.com and we'll get back to you within one business day.

Email security Read the DPA