Security & Compliance
Effective date: Feb 6 2026. This page summarizes the safeguards and practices used to protect customer data. For a full set of legal and compliance documents, visit the Trust Center.
1. Data residency
Data is stored and processed in the United States (Manassas, Virginia), and backups are stored in Backblaze E2 (US East).
2. Data handling
- Customer documents are stored on the server to support history and cross-device access.
- History retention is configurable by workspace admins, within plan limits.
- Workspace admins can choose local-only history, which stores history only on the user's device and does not sync to the server.
- Local-only history applies to history data only; audit logs and billing records are stored server-side.
- Backups are stored in Backblaze E2 (US East) and retained for 12 months by default. Longer retention is available by request.
- Audit logs are retained for 12 months by default. Longer retention is available by request.
- We use Netcup GmbH (hosting only; Manassas, VA data center), Backblaze E2 (US East) for backups, AWS SES for email delivery, and Stripe for payments. A current sub-processor list is available upon request.
- We do not use customer content to train AI or machine-learning models.
- We do not use third-party analytics or behavioral tracking scripts.
3. Encryption
- In transit: All connections to the Service use TLS 1.2 or higher. Older protocol versions (TLS 1.0, TLS 1.1, SSLv3) are disabled.
- At rest: Uploaded documents are encrypted at rest using AES-256 with per-account storage encryption keys.
- Storage encryption keys are versioned so new data can be written with a current key while prior key versions remain available for decryption during a planned rotation window.
4. Access controls
- Role-based access: The Service enforces role-based access control (RBAC) with roles including account owner, admin, member, and viewer. Each role carries least-privilege permissions.
- Production systems are accessible only to authorized Obscura personnel. Access is reviewed periodically.
- Workspace admins can manage seat assignments, deactivate users, and configure history retention and local-only storage options.
- Audit logs record user actions (document operations, admin changes, login events) and are accessible to account admins on Team and Enterprise plans.
5. Availability & backups
- Enterprise plan uptime target: 99.5% per calendar month (see SLA for full details and service credit terms). Free, Individual, and Team plans do not include SLA commitments.
- Service monitoring detects availability issues. Routine deployments may occur when ready; maintenance expected to cause downtime is scheduled with at least 48 hours advance notice and does not count against the uptime target.
- Backups are stored in Backblaze E2 (US East) and retained for 12 months by default. Longer retention is available by request.
6. Vendor & sub-processor review
Obscura maintains a limited list of sub-processors and reviews new vendors for security posture before onboarding. Customers receive at least 30 days advance written notice of material sub-processor additions or replacements, with a reasonable opportunity to object.
- Netcup GmbH — hosting (Manassas, VA data center)
- Amazon AWS SES — email delivery
- Backblaze E2 — backup storage (US East)
- Stripe — payment processing (name and address for billing verification only)
We do not use third-party analytics or behavioral tracking scripts. We do not use customer content to train AI or machine-learning models.
7. Payments & PCI
Payment processing uses Stripe. When you enter payment details, Stripe's JavaScript loads directly from https://js.stripe.com to keep payment data handled by Stripe. Obscura does not store raw card numbers.
8. Incident response
We maintain an internal incident response process for security events. In the event of a confirmed personal data breach:
- We will notify affected customers within 48 hours of becoming aware of a confirmed personal data breach, consistent with our DPA obligations.
- Notifications include a description of the incident, categories of data affected, and recommended actions.
- We will cooperate with customers to support their own regulatory notification obligations where required.
9. Compliance status
Obscura Document Redaction is not currently certified under SOC 2 or ISO 27001.
10. Contact
Security and compliance questions: support@useobscura.com.