Enterprise-grade security, built from the ground up
Security isn't a feature we bolted on — it's the foundation we built on. Encryption, access controls, and data governance are embedded at every layer of the Salmon platform.
Where we stand
We hold ourselves to the standards enterprise customers expect — and we're transparent about where we are in that journey.
SOC 2 Type II
Actively pursuing certification. Our infrastructure, access controls, and monitoring are built to SOC 2 standards. Audit in progress with expected completion mid-2026.
ISO 27001
Building toward ISO 27001 certification with a formal information security management system. Targeting Q4 2026.
GDPR
Full compliance with the General Data Protection Regulation. We maintain a designated Data Protection Officer, honor data subject access requests, and have data processing agreements with all sub-processors.
CCPA
Compliant with the California Consumer Privacy Act. Right-to-erasure requests honored. We do not sell personal information.
How we protect your data
Layered security controls across encryption, access, infrastructure, and operations.
Encryption
All data encrypted in transit via TLS 1.2 with legacy protocols (SSLv2, SSLv3, TLS 1.0, TLS 1.1) disabled. Data encrypted at rest across all storage systems. Encryption keys are managed and rotated periodically.
Access Control
Role-based access with the principle of least privilege enforced across all systems. Multi-factor authentication required for production access. Quarterly access reviews ensure permissions stay current. Access revoked immediately upon personnel changes.
Cloud Infrastructure
Hosted on Amazon Web Services with all data stored in the US-West region. Development, testing, and production environments are fully separated. VPN required for secure network access. Firewalls and network segmentation protect system boundaries.
Audit & Logging
Every data access, modification, and API call is logged with timestamps and user identity. System logs are monitored for security events. Full audit trail available for compliance reviews and customer inquiries.
Endpoint & Network Security
Antivirus and anti-malware deployed on all workstations and laptops. Intrusion detection systems monitor network traffic. Wireless networks are segmented from production. Annual assessments of unauthorized or unsupported software.
Personnel Security
Background and reference checks for all hires. All employees and contractors sign NDA and confidentiality agreements. Periodic privacy and security training. Access terminated immediately upon departure.
Secure Development
Secure software development lifecycle with security integrated throughout. Code reviewed for vulnerabilities before deployment. Formal change management process governs all changes to production systems.
Risk & Vendor Management
Formal risk management program with periodic risk assessments. Third-party vendors are assessed for security before engagement and monitored on an ongoing basis. Third-party contracts reviewed for security and privacy requirements.
Incident Track Record
Zero data privacy or security incidents. No breaches, no government investigations, no litigation related to data practices. We take this record seriously and work every day to maintain it.
How we handle your data
Salmon operates on a principle of minimal data exposure. We access only the data fields required for enrichment and verification, and we don't store raw client data beyond the processing window.
All client data is stored in the United States. We do not transfer personal information to other countries. Sensitive data is prohibited in non-production environments.
For API customers, all requests are authenticated via scoped API keys with configurable rate limits. Every response includes source attribution and confidence scoring for full traceability.
- No persistent storage of raw client data beyond processing
- Ethically sourced from public and licensed sources only
- All data stored in the US (AWS US-West region)
- No sharing of client data with third parties
- Certificate of Data Destruction available on request
- Data deletion on request, compliant with right-to-erasure
- Data Retention & Destruction policy reviewed annually
Security leadership & accountability
Security is not just a policy — it's an organizational priority with dedicated leadership.
Information Security Officer
Dedicated executive responsible for developing, implementing, and maintaining our security program.
Chief Privacy Officer
Full-time role responsible for privacy-related inquiries, data subject requests, and compliance with privacy regulations.
Documented Policies
Formal policies covering access control, encryption, data retention, password management, vulnerability management, and third-party risk.
Privacy Policy
Our published Privacy Policy details how we collect, use, and protect data. We don't use client data for secondary purposes or share it beyond the scope of the engagement.
Need details for your security review?
We regularly complete enterprise security questionnaires and are happy to walk your team through our practices and share documentation.