Security at IdeaLift

We take the security of your data seriously. Learn about our security practices, infrastructure, and compliance measures.

Security Overview

Encryption

All data encrypted in transit (TLS 1.3) and at rest (AES-256)

SOC 2 Type II

Compliance in progress. Report available Q2 2025

GDPR Ready

Full GDPR compliance with data processing agreements

Infrastructure Security

Cloud Infrastructure

IdeaLift runs on Microsoft Azure, a SOC 2 certified cloud provider. Our infrastructure is hosted in Azure's US East data centers with automatic failover and redundancy.

Database Security

Data is stored in Azure SQL with transparent data encryption (TDE). Backups are encrypted and retained for 30 days. Point-in-time restore is available for disaster recovery.

Network Security

All traffic is encrypted using TLS 1.3. We use Azure Web Application Firewall (WAF) for protection against OWASP Top 10 vulnerabilities. DDoS protection is enabled at the infrastructure level.

Access Controls

Role-based access control (RBAC) limits employee access to production systems. All access is logged and audited. MFA is required for all team members.

Data Protection

Data Encryption

  • In Transit: TLS 1.3 for all API and web traffic. HSTS enforced.
  • At Rest: AES-256 encryption for all stored data including database and backups.
  • OAuth Tokens: Encrypted with separate keys and stored securely.

Data Minimization

We only collect and store data necessary to provide the service. We do not:

  • • Store full chat history from connected platforms
  • • Scan or index your repositories or projects
  • • Retain data longer than necessary
  • • Share data with third parties for advertising

Data Retention

  • Active Data: Retained while your account is active
  • Deleted Ideas: Permanently removed after 30 days
  • Account Deletion: All data removed within 30 days of request
  • Backups: Retained for 90 days for disaster recovery

Application Security

Authentication

  • OAuth 2.0 with industry-standard providers (Google, GitHub, Slack)
  • Secure session management with HTTP-only cookies
  • CSRF protection on all state-changing operations
  • SSO support for Enterprise plans (SAML, OIDC)

API Security

  • API key authentication for programmatic access
  • Rate limiting to prevent abuse
  • Input validation and sanitization on all endpoints
  • Webhook signature verification

Secure Development

  • Automated security scanning in CI/CD pipeline
  • Dependency vulnerability monitoring
  • Code review required for all changes
  • Regular penetration testing

Compliance

SOC 2 Type II

We are currently undergoing SOC 2 Type II certification, covering Security, Availability, and Confidentiality trust principles.

In Progress - Q2 2025

GDPR

IdeaLift is fully GDPR compliant. We offer Data Processing Agreements (DPA) for customers who require them.

Compliant

CCPA

We comply with the California Consumer Privacy Act. California residents can exercise their rights by contacting us.

Compliant

HIPAA

IdeaLift is not currently HIPAA compliant. Please do not store protected health information (PHI) in IdeaLift.

Not Applicable

Sub-processors

We use the following third-party services to operate IdeaLift:

ProviderPurposeLocation
Microsoft AzureCloud infrastructure, databaseUSA
StripePayment processingUSA
OpenAIAI processing (formatting, deduplication)USA
PostHogProduct analyticsUSA/EU
ResendTransactional emailsUSA

Full list available at /sub-processors

Security Reporting

If you discover a security vulnerability, please report it responsibly:

  • • Email us at security@startvest.ai
  • • Include a description of the vulnerability
  • • Provide steps to reproduce if possible
  • • Allow us reasonable time to respond before public disclosure

We appreciate responsible disclosure and will acknowledge researchers who help us improve our security.

Enterprise Security

Enterprise customers receive additional security features:

  • Single Sign-On (SSO) with SAML or OIDC
  • SCIM provisioning for user management
  • Audit logs for compliance
  • Custom data retention policies
  • Dedicated security review and questionnaire completion
  • Custom Data Processing Agreement (DPA)
Contact Enterprise Sales

Questions?

If you have security questions or need documentation for your security review:

security@startvest.aiPrivacy Policy