SOC 2 compliance

Ingest is built around controls aligned with the SOC 2 Trust Service Criteria. This page summarizes the security properties of the platform, what they are and what they guarantee. For implementation details, a system description, or audit documentation, get in touch.

Tenant isolation

Every customer's pipelines run on a dedicated set of cloud resources, scoped by IAM. One customer's runtime cannot read, write, or list another customer's data. Credentials, configuration, schedules, queues, and logs are partitioned per customer at the AWS resource level, not just by application logic.

Least-privilege access

The roles that the runtime assumes are scoped down to exactly the resources required for the job, read or write, never more. Cross-account access (for example, your Snowflake account reading Iceberg files in your S3 bucket) is gated by external IDs, so a leaked role ARN alone cannot grant access.

Service authentication

Service-to-service authentication uses short-lived OIDC tokens. There are no long-lived passwords or key files sitting in CI environments or laptops to be rotated, leaked, or forgotten. Tokens are scoped to specific repositories and specific branches.

Secrets management

Customer API credentials are stored in a managed secrets service, encrypted at rest. The runtime resolves them at execution time only, secrets are never written to disk, never included in logs, and never displayed in the dashboard once entered. Rotation invalidates the cached value so the next request picks up the new one.

Encryption in transit

Managed storage rejects requests that don't use TLS. Source-API traffic and control-plane traffic use HTTPS. Credentials handed to deploy infrastructure are encrypted before they leave the browser.

Processing integrity

The execution path deduplicates messages so a retry won't double-process a request, and routes persistent failures to a dead-letter queue that triggers an alarm. Iceberg loads are idempotent, running the same load twice produces the same table state.

Monitoring & change detection

Alerts fire on dispatch failures, processing errors, authentication failures, and any message reaching the dead-letter queue. Separately, we monitor for configuration changes that would regress access controls, for example, a manual edit to an IAM or KMS policy outside the normal deploy path, and alert on those.

Data retention

Log and data retention windows are enforced automatically by storage-level lifecycle policies. The specific window for your account is part of your contract.

Confidentiality

On bring-your-own-bucket, Iceberg files land in your AWS account, under IAM controls you operate. PII masking is applied at the query layer through Snowflake views, so flagged columns are masked when downstream consumers read the data; the raw data itself is unmodified and can be unmasked by a privileged role for legitimate audit needs.

Change management

Production infrastructure changes are gated by code review and merged into the main branch before any deploy runs. The deploy role only trusts that branch.

What this page does not cover

This page is a customer-facing summary of security properties. It is not the system description, the audit report, or a complete control matrix. For any of those – reach out.