Platform
Platform OverviewEmail MarketingSMS MarketingWhatsAppPush NotificationsRCS MessagingAI CampaignsAnalyticsAutomationCustomer Data Platform
Solutions
SolopreneursGrowing TeamsEnterpriseE-CommerceSaaSConsumer AppsMarketplaces
More
PricingBlogLaunch PlaybookCompany
Get StartedLog in

Security Policy

Last Updated: April 27, 2026

Our security philosophy

Protecting customer and end-user data is foundational to PolarGX. We hold ourselves to enterprise-grade security practices regardless of customer size — a solopreneur on the Free plan gets the same encryption, access controls, and incident response as an Enterprise customer. This policy describes what we do, in plain language, so you can verify it against your own requirements.

For our compliance certifications and ongoing audit status, see our Trust Center. For data-protection details specific to GDPR, UK GDPR, and CCPA, see our GDPR & data protection page.

1. Encryption

In transit: all communication between your browser, our APIs, and our infrastructure uses TLS 1.2 or 1.3. Older protocols are disabled. Customer-facing endpoints have HSTS enabled.

At rest: data stored in our databases and object stores is encrypted with AES-256. Encryption keys are managed by the cloud provider's key management service with rotation policies and access auditing.

2. Access controls

Customer accounts: all PolarGX accounts support role-based access control (RBAC) with least-privilege defaults. Enterprise plans include single sign-on (SSO) via SAML 2.0 and SCIM provisioning.

PolarGX employees: production system access is restricted to authorized engineering personnel via SSO with mandatory multi-factor authentication. All production access is logged and reviewed.

Audit trails: we maintain access logs for at least 90 days and provide audit-log export for Enterprise customers.

3. Infrastructure

PolarGX runs on enterprise-grade cloud infrastructure with redundancy across availability zones, automated failover, and continuous monitoring. We use standard hardening practices including network segmentation, security groups, and least-privilege IAM.

We do not operate on-premises hardware for customer data. Sub-processors are listed and updated on our Trust Center.

4. Vulnerability management

Continuous scanning: automated dependency and container scanning run on every build. Critical vulnerabilities trigger immediate remediation.

Penetration testing: we engage independent security firms for annual penetration tests against our production environment. Reports are available under NDA to qualified Enterprise customers and prospects.

Responsible disclosure: if you believe you have discovered a security issue, please report it to security@polargx.com. We respond within one business day and do not pursue legal action against researchers acting in good faith.

5. Incident response

We maintain a documented incident response plan with defined roles, escalation paths, and communication templates. Engineers on-call rotate 24/7 for severity-1 incidents.

Breach notification: in the event of a confirmed data breach affecting customer data, we notify affected customers within 72 hours of confirmation and provide impact details, mitigation steps, and the timeline of events.

6. Employee security

All PolarGX employees and contractors receive security training at onboarding and annually. Background checks are performed where legally permitted. Access is provisioned on a least-privilege basis and revoked immediately upon role change or departure.

7. Reporting and contact

For security questions, vulnerability reports, or to request our security documentation package (including SOC 2 status, penetration test summaries, and our standard security questionnaire response):

Email: security@polargx.com