Security & compliance

Built to protect your data — and prove it.

Etlworks runs on SOC 2 Type 2 controls, supports HIPAA with a BAA, and complies with GDPR. Customer data is not persisted by default — most flows stream rows through memory in microseconds. The security posture is identical across cloud, hybrid, and on-prem.

Download SOC 3 report Request SOC 2 Type 2 report security@etlworks.com

Need a questionnaire filled out? We do that free of charge — email security@etlworks.com.

Compliance & certifications

SOC 2 Type 2

Independent audit of security, availability, and confidentiality controls. Report available under NDA.

HIPAA

BAA available for enterprise customers. Privacy and information-security controls support HIPAA compliance.

GDPR & DPA

Compliant with GDPR. DPA executed on request as part of any enterprise contract.

SOC 3

Public summary of our SOC 2 controls. Free to download — no NDA required.

Etlworks runs on AWS, Azure, and GCP — all of which carry SOC 1 / 2 / 3 and ISO/IEC 27001 certifications that we inherit at the infrastructure layer.

Data handling

By default, Etlworks does not persist customer data. Most integration flows stream rows through memory in microseconds — what we keep is configuration, metadata, and the credentials needed to run your flows.

Data type Persisted Notes
Customer data Not by default Opt-in to stage in local storage. Encrypted at rest. Customer-defined retention policy. Optional PGP.
Streaming & event data Never One row in RAM for microseconds during transit. Never written to disk in any form.
Temporary data Per flow run Auto-purged when the flow finishes — successfully or with an error.
Configuration & metadata Persistent Flow definitions, table/column names, schedules. Stored in a database isolated from the public internet.
Credentials & OAuth tokens Persistent Encrypted with strong algorithms. Stored in an isolated database. Never logged.
Payment methods Never Handled by PayWhirl over Stripe. Etlworks staff have no access. PCI-compliance is the processor’s responsibility.

Why this matters: most iPaaS tools persist customer data by default for caching, replay, or analytics. Etlworks does not. This narrows your data-residency footprint and reduces breach blast radius.

Architecture & infrastructure

Etlworks runs in a Virtual Private Cloud across AWS, Azure, and GCP. Networks are segregated by security level. Only port 443 (HTTPS) is open inbound. Customer-managed deployments inherit the same architecture.

Perimeter protection

  • System firewall, reverse proxy, load balancer
  • Only port 443 open inbound — no SSH, no other ports
  • SSL/TLS terminated at the load balancer
  • Trusted enterprise email gateway with spam filtering

Network segregation

  • VPC with subnets segregated by security level
  • Restrictive firewalls between every network
  • Configuration database isolated from the public internet
  • Modern firewall rules audited regularly

Cloud providers

  • AWS, Azure, GCP — choose your region
  • Inherit SOC 1 / 2 / 3 and ISO/IEC 27001 from the provider
  • Encrypted storage volumes (cloud-managed at-rest encryption)
  • Same posture in cloud, hybrid, and on-prem deployments

Patching & backups

  • Automated vulnerability scans, security patches applied promptly
  • Frequent backups, regularly tested for restore
  • Backup access guarded by 2FA, password manager, encryption at rest
  • OWASP secure-coding guidelines followed in development

Authentication & access control

JWT-based stateless authentication, optional 2FA, SSO via SAML, and role-based access control with six roles. Tag-based artifact access lets you scope teams to specific flows, environments, or projects.

Six roles · least-privilege by default

SuperAdmin Unrestricted system access
Administrator Full data control · manages users, flows, connections, formats
Editor Same as admin without user management
Operator View and run flows · view execution stats
Viewer Read-only access to flows, schedules, stats
API user Authenticates calls to user-defined API endpoints · sees only its own messages

Authentication

  • JWT-based, stateless — no session cookies
  • Short-lived tokens with automatic expiration
  • Two-factor authentication (TOTP via Google Authenticator)
  • SSO via SAML (miniOrange) for Enterprise & on-prem
  • Strong password enforcement
  • Invitation-only signup — no self-service registration

Artifact-level access

  • Tag-based scoping for flows, connections, schedules
  • Tag views align with teams, projects, environments
  • Each user is assigned exactly one role
  • Admin actions logged for audit

Encryption

Industry-standard encryption at rest and in transit. Customer-managed PGP for files. SSH tunneling and IP allowlisting for source/destination connections.

In transit

  • HTTPS-only with HSTS
  • SSL/TLS for all connections
  • SSH tunneling for source/destination DBs
  • IP allowlisting on request

At rest

  • Cloud-managed volume encryption
  • AWS, Azure, GCP, Oracle Cloud, IBM Cloud
  • Optional PGP for staged files
  • Backups encrypted at rest

Credentials

  • Strong-algorithm encryption
  • JWT tokens encrypted
  • OAuth tokens encrypted
  • Stored in isolated database

Testing & audit

Automated and manual security testing across multiple cadences. Independent third-party audits of applications and infrastructure. Static code analysis on every build.

Monthly

Vulnerability and penetration scans via Intruder.io. Additional scans triggered when new threats emerge. Reports available on request.

Every build

Static code analysis runs against application code and third-party libraries. Findings block release until addressed.

Periodic

Independent third-party audits of applications and infrastructure. Findings prioritized for remediation.

Incident response

Documented incident response plan with timely customer notification. Application, system, and data access logs monitored for anomalies. To date, Etlworks has not experienced a security breach.

Detection & monitoring

  • Application, system, and data access logs monitored continuously
  • Anomalous behavior surfaces in security review
  • Direct UI and API access to flow execution logs for customers
  • Configurable customer notifications on errors and conditions

Response process

  • Documented Security Incident Response Plan
  • Customer notification on confirmed breach
  • Coordinated remediation across affected systems
  • Post-incident review for control improvements

See response-time SLAs by severity

Responsible disclosure

We welcome reports of suspected security issues from independent researchers. We do not run a paid bug bounty, but we acknowledge contributions on this page.

Out of scope

Modifying or destroying data · degrading service for customers · denial-of-service attacks · accessing other users’ accounts or data · violating any applicable law.

Send reports to security@etlworks.com.

Questions? Auditing? Procurement?

Our Security & Compliance team answers questionnaires free of charge. Reach out at security@etlworks.com — or grab the artifacts below directly.

SOC 3 (public) SOC 2 Type 2 (NDA) BAA template DPA Privacy policy HIPAA overview