Security

Signal is designed for enterprise data-handling requirements: single-tenant deployments, first-party data only, encryption everywhere, role-based access, and full audit logging.

Principles

• Single-tenant isolation. Every customer gets their own dedicated Signal deployment. No shared infrastructure, no cross-customer data paths.
• First-party data only. Datafly.js loads from the customer’s own subdomain, events go to the customer’s own endpoint, and all cookies are first-party.
• Encryption in transit and at rest. TLS for all network traffic; sensitive stored data encrypted with industry-standard ciphers and managed-DB envelope encryption.
• Role-based access control. Authenticated and authorised at the management API level. Owners, admins, editors, viewers.
• Audit logging. Every administrative action recorded with actor, timestamp, target, and detail. Retained for compliance.
• Two-stage consent enforcement. Consent gates events at both ingestion and delivery, with full CMP integration.

Compliance

Datafly Signal’s compliance posture is built on Signal’s single-tenant, customer-hosted architecture — customer data does not enter Datafly-controlled infrastructure.

• GDPR / UK GDPR — Signal is designed to support compliance for customers operating in scope. The customer is the data controller; Datafly’s role and responsibilities are documented in the standard Data Processing Agreement.
• ISO 27001 — certification work is on the roadmap. Signal’s narrow ISMS scope reflects the customer-hosted deployment model, which materially reduces the controls in scope compared with a SaaS data processor.
• SOC 2 — planned alongside US expansion.

To request a security questionnaire response or DPA, contact your account team or email hello@dataflysignal.com.