Security & Compliance
Effective date: Feb 6 2026. This page summarizes the safeguards and practices used to protect customer data. For a full set of legal and compliance documents, visit the Trust Center.
1. Data residency
Data is stored and processed in the United States (Manassas, Virginia).
2. Data handling
- Customer documents are stored on the server to support history and cross-device access.
- History retention is configurable by workspace admins, within plan limits.
- Workspace admins can choose local-only history, which stores history only on the user's device and does not sync to the server.
- Local-only history applies to history data only; audit logs and billing records are stored server-side.
- Backups are stored in Backblaze E2 (US East) and retained for 12 months by default. Longer retention is available by request.
- Audit logs are retained for 12 months by default. Longer retention is available by request.
- We use Netcup GmbH (hosting only; Manassas, VA data center), Backblaze E2 (US East) for backups, AWS SES for email delivery, and Stripe for payments. A current sub-processor list is available upon request.
- We do not use customer content to train AI or machine-learning models.
- We do not use third-party analytics or behavioral tracking scripts.
3. Encryption
- In transit: All connections to the Service use TLS 1.2 or higher. Older protocol versions (TLS 1.0, TLS 1.1, SSLv3) are disabled.
- At rest: Uploaded documents are encrypted at rest using AES-256 with per-account storage encryption keys, plus infrastructure-level full-disk encryption where supported by the hosting provider.
- Storage encryption keys are versioned so new data can be written with a current key while prior key versions remain available for decryption during a planned rotation window.
4. Access controls
- Role-based access: The Service enforces role-based access control (RBAC) with roles including account owner, admin, member, and viewer. Each role carries least-privilege permissions.
- Production systems are accessible only to authorized Obscura personnel. Access is reviewed periodically.
- Workspace admins can manage seat assignments, deactivate users, and configure history retention and local-only storage options.
- Audit logs record user actions (document operations, admin changes, login events) and are accessible to account admins on Team and Enterprise plans.
5. Availability & backups
- Enterprise plan uptime target: 99.5% per calendar month (see SLA for full details and service credit terms). Free, Individual, and Team plans do not include SLA commitments.
- Service monitoring detects availability issues. Routine deployments may occur when ready; maintenance expected to cause downtime is scheduled with at least 48 hours advance notice and does not count against the uptime target.
- Backups are stored in Backblaze E2 (US East) and retained for 12 months by default. Longer retention is available by request.
6. Vendor & sub-processor review
Obscura maintains a limited list of sub-processors and reviews new vendors for security posture before onboarding. Customers receive at least 30 days advance written notice of material sub-processor additions or replacements, with a reasonable opportunity to object.
- Netcup GmbH — hosting (Manassas, VA data center)
- Amazon AWS SES — email delivery
- Backblaze E2 — backup storage (US East)
- Stripe — payment processing (name and address for billing verification only)
We do not use third-party analytics or behavioral tracking scripts. We do not use customer content to train AI or machine-learning models.
7. Payments & PCI
Payment processing uses Stripe. When you enter payment details, Stripe's JavaScript loads directly from https://js.stripe.com to keep payment data handled by Stripe. Obscura does not store raw card numbers.
PCI-related questions or documentation can be requested at support@useobscura.com.
8. Incident response
We maintain an internal incident response process for security events. In the event of a confirmed personal data breach:
- We will notify affected customers within 48 hours of becoming aware of a confirmed personal data breach, consistent with our DPA obligations.
- Notifications include a description of the incident, categories of data affected, and recommended actions.
- We will cooperate with customers to support their own regulatory notification obligations where required.
9. Compliance status
Obscura Document Redaction is not currently certified under SOC 2 or ISO 27001. SOC 2 Type I is in planning.
We can provide a completed security questionnaire upon request. Contact support@useobscura.com.
10. Contact
Security and compliance questions: support@useobscura.com.