Security & trust

The reference.
Everything in one place.

Certifications, sub-processors, data handling, retention, and how to file a vulnerability. Hand this page to your security team and let them check the boxes.

Request the packet How it's built

SOC 2 in flight
GDPR ready
Encrypted in transit & at rest

Compliance, at a glance.

What's signed, what's underway, what's available on request.

In flight

SOC 2 Type II

Observation window underway with a Big Four auditor. Type I letter available now under NDA.

Live

GDPR & DPA

Standard contractual clauses and a DPA on request. EU sub-processor list maintained below.

Planned

ISO 27001

Control mapping complete; certification audit scheduled for Q4. Crosswalk to SOC 2 available.

On request

HIPAA

BAA available for healthcare customers on Enterprise. Limited to ePHI handled inside the Beagle tenant.

Annual

Pen testing

Annual third-party penetration test. Latest report (redacted) available under NDA.

Live

Vulnerability disclosure

Public program with a 90-day disclosure window. Bug bounty for in-scope findings.

Your data, only where it has to be.

Beagle reads what a teammate would read. Nothing is forwarded, nothing is pooled, nothing trains on your content.

In transit. TLS 1.3 end-to-end. HSTS enforced. Certificates pinned in mobile.
At rest. AES-256 with tenant-bound keys via envelope encryption. KMS rotation every 90 days.
In the model. No training on customer data. Provider contracts include zero data retention on inference, where the provider offers it.
On retention. Default 12 months for memory and audit. Tenant admin can shorten or extend per surface, or wipe on demand.

Sub-processors, full list.

Every vendor that touches your data, what they do, and where they sit. Notice of additions is mailed 30 days in advance.

sub_processors.csvv6 · 2026-04

VendorPurposeDataRegion

AWSCompute & storageAll tenant dataus-east-1, eu-west-1

AnthropicModel inferencePrompts (no retention)US

OpenAIModel inference (fallback)Prompts (no retention)US

CloudflareEdge & DDoSRequest metadataGlobal

StripeBillingBilling contact, card metadataUS, EU

PostmarkTransactional emailNotification contentUS

PostHogProduct analyticsEvent metadataUS

SentryError trackingStack traces (scrubbed)US

security.txtdisclosure

# In scope
Contact: mailto:security@heybeagle.com
Expires: 2027-01-01T00:00:00Z
Encryption: https://heybeagle.com/pgp.txt
Acknowledgements: https://heybeagle.com/security#hof
Policy: https://heybeagle.com/security#policy
Preferred-Languages: en

Found something? Tell us.

Coordinated disclosure with a 90-day window. We triage in 24 hours and credit researchers in our hall of fame.

Email. security@heybeagle.com - PGP key at /pgp.txt.
Scope. Anything on heybeagle.com, *.heybeagle.com, the Beagle Slack and Teams apps, and the public API.
Bounty. Up to $10k for confirmed remote code execution. Lower bands published in the policy.

Bring the packet
to your security review.

SOC 2 Type I letter, latest pen-test summary, DPA, sub-processor list, and a 30-minute walkthrough with our security lead.

Request the packet Read the design

Security - Beagle

Your data, only where it has to be.

Found something? Tell us.

Bring the packetto your security review.

Bring the packet
to your security review.