Security at Jarviz
Last updated · April 2026
Jarviz handles money-grade data: advertising spend, CRM records, signed revenue. We treat its protection as a product requirement, not a checkbox.
Hosting & data residency
Primary hosting on Cloudflare with edge presence and EU-based data plane. Customer data is stored in encrypted databases located in the European Union (Frankfurt and Paris regions).
Backups are encrypted and retained for thirty (30) days.
Encryption
TLS 1.2+ in transit. AES-256 at rest. Secrets are stored in a hardware-backed key management service. Email addresses sent back to advertising APIs are hashed (SHA-256) when supported.
Access control
Least-privilege access for Jarviz personnel, mandatory single sign-on with multi-factor authentication, audit logs reviewed monthly. Production access is limited to a named on-call rotation.
Compliance
GDPR by design. SOC 2 Type 2 audit in progress. ISO 27001 mapping in place. DPA available on request.
Incident response
On-call 24/7 for production. Initial customer notification within 24 hours of confirmed material incidents; full root-cause within 14 days.
Vulnerability disclosures: security@getjarviz.com — PGP key on request.