Security

Security is foundational to everything we build at Subgradient Labs. We implement defense-in-depth strategies across our infrastructure, applications, and operations to protect your data and ensure the reliability of our services.

SOC 2 Type II: Our infrastructure and operations have been independently audited and certified. Reports are available to customers under NDA.

GDPR: We are fully compliant with the General Data Protection Regulation for our European customers, including data processing agreements and appropriate transfer mechanisms.

ISO 27001: Our information security management system follows ISO 27001 standards.

HIPAA: Business Associate Agreements are available for healthcare customers on Enterprise plans.

Our services run on SOC 2 compliant cloud infrastructure with: multi-region redundancy across geographically distributed data centers; network isolation with private subnets and strict firewall rules; DDoS protection and Web Application Firewalls; automated vulnerability scanning and patch management; encrypted storage (AES-256) and transit (TLS 1.3); hardware security modules (HSMs) for key management.

We follow secure development practices including: mandatory code review for all changes; static and dynamic application security testing (SAST/DAST); dependency vulnerability scanning; regular third-party penetration testing; bug bounty program; least-privilege access controls and API key management.

Your data is protected with: encryption at rest and in transit; strict access controls with audit logging; data residency options for Enterprise customers; automatic data deletion after retention periods; input/output data not used for model training by default; isolated tenant environments on Enterprise plans.

We maintain a comprehensive incident response program with: 24/7 security monitoring and alerting; defined escalation procedures and response teams; customer notification within 72 hours for data breaches; post-incident reviews and remediation tracking; regular tabletop exercises and response drills.

We welcome security researchers to report vulnerabilities through our responsible disclosure program. Please email security@subgradient.ai with details. We commit to acknowledging reports within 48 hours, providing regular updates on remediation, and recognizing researchers who help improve our security.