Security & Compliance

NotifyHero is built for teams that take security seriously. Here's how we protect your data.

Certifications

SOC 2 Type II

NotifyHero is SOC 2 Type II certified. Our audit covers security, availability, and confidentiality controls. Request our latest report at security@notifyhero.com.

GDPR

Fully GDPR compliant. We offer Data Processing Agreements (DPA) for all customers. EU data residency available on Enterprise plans.

Encryption

| Layer | Standard | |-------|----------| | In transit | TLS 1.3 for all connections | | At rest | AES-256 encryption | | Backups | Encrypted and geo-redundant | | API keys | Hashed with bcrypt, never stored in plaintext |

Authentication & Access Control

Single Sign-On (SSO)

Available on Business and Enterprise plans:

  • SAML 2.0 — Okta, Azure AD, OneLogin, Google Workspace, and any SAML provider
  • OIDC — any OpenID Connect provider
  • Enforce SSO — require SSO for all users (no password fallback)

SCIM Provisioning

Available on Enterprise:

  • Auto-create users when they're added to your identity provider
  • Auto-deactivate users when they're removed
  • Sync group memberships to NotifyHero teams

Role-Based Access Control (RBAC)

Six built-in roles from Owner to Limited Stakeholder. See Account for details.

Two-Factor Authentication (2FA)

TOTP-based 2FA available for all users. Admins can enforce 2FA organization-wide.

Audit Logs

Available on Business and Enterprise plans.

Every action is logged with:

  • Who — user or API key
  • What — action performed
  • When — timestamp (UTC)
  • Where — IP address and user agent
{
  "timestamp": "2026-03-01T09:00:00Z",
  "actor": "alice@your-company.com",
  "action": "incident.acknowledge",
  "resource": "INC-1042",
  "ip": "203.0.113.42",
  "user_agent": "NotifyHero-iOS/2.1.0"
}

Audit logs are:

  • Immutable — cannot be modified or deleted
  • Retained for 1 year (Business) or 3 years (Enterprise)
  • Exportable via API or CSV
  • Searchable by actor, action, resource, or date range

Infrastructure Security

  • Cloud hosting — multi-region, redundant infrastructure
  • DDoS protection — always-on mitigation
  • WAF — web application firewall on all endpoints
  • Vulnerability scanning — automated weekly scans
  • Penetration testing — annual third-party pen tests
  • Incident response plan — documented and tested quarterly

Data Handling

  • Data residency — US (default), EU, or custom regions (Enterprise)
  • Data retention — configurable per organization
  • Data export — export all your data at any time via API
  • Data deletion — request full data deletion, completed within 30 days
  • No cross-org data sharing — AI models are scoped to your organization only

Network Security

IP Allowlisting

Restrict API access to specific IP ranges (Enterprise):

Allowed IPs: 203.0.113.0/24, 198.51.100.0/24

Webhook Verification

Verify that webhooks are actually from NotifyHero:

# Verify webhook signature
SIGNATURE=$(echo -n "$BODY" | openssl dgst -sha256 -hmac "$WEBHOOK_SECRET" | awk '{print $2}')
if [ "$SIGNATURE" = "$RECEIVED_SIGNATURE" ]; then
  echo "Verified"
fi

Every outbound webhook includes an X-NotifyHero-Signature header.

Compliance

| Standard | Status | |----------|--------| | SOC 2 Type II | ✓ Certified | | GDPR | ✓ Compliant | | HIPAA | ✓ BAA available (Enterprise) | | ISO 27001 | In progress | | CCPA | ✓ Compliant |

Responsible Disclosure

Found a vulnerability? Email security@notifyhero.com. We respond within 24 hours and don't pursue legal action against good-faith researchers.