Enterprise-ready security you can trust

Data is hosted regionally in dedicated AWS data centers according to customer location — US, EU/UK, or Australia. Our platform supports GDPR, HIPAA, CCPA, and other regional compliance mandates, as well as customer-specific contractual obligations and DPAs.

Obsidian uses a hybrid architecture where some infrastructure is shared across tenants while sensitive customer data is strictly isolated in dedicated database schemas and storage buckets. Data is fully encrypted at rest and in motion with customer-dedicated encryption keys stored and managed in CSP-hosted secure key management systems. This approach balances operational efficiency with strong data segregation, security, and privacy controls. Obsidian also complies with applicable laws, customer agreements, and indexed Terms of Service, including Data Processing Agreements (DPAs), to ensure proper handling of customer data.

Obsidian provides access to its key legal documents and policies, including the Terms of Service, Data Processing Addendum (DPA) and, Privacy Policy. These documents support compliance and transparency, giving customers clear guidance on legal and contractual obligations while using Obsidian’s platform.

Customer data is encrypted at rest with AES 256-bit or higher and secured in transit using TLS 1.3.

Yes. Our SDLC includes secure programming training, static code analysis, vulnerability scanning in CI/CD pipelines, and ongoing security validation. Automated and manual testing is performed along the code path from development through QE to production to ensure code quality and reliability.

We perform annual third-party penetration tests covering our web applications, browser extensions (Chrome and Firefox), internal networks, and cloud infrastructure. All identified issues are prioritized and remediated swiftly.

Yes, we welcome responsible vulnerability disclosures and manage reports according to our Responsible Disclosure Policy, available publicly. However, we currently do not offer monetary rewards for disclosures.

Obsidian ensures timely detection, notification, and resolution of product and security incidents. All incidents are posted to our public status page, and impacted customers receive direct notifications via email, Slack, or TAM engagement, including relevant indicators of compromise and recommended actions. Historical incident data is available here. Initial communications focus on timely disclosure, with detailed analysis provided subsequently. Follow-up support is provided in accordance with contractual obligations and internal procedures.

We perform daily backups with monthly full backups and retain raw data for 30 days by default. Our tested Business Continuity & Disaster Recovery Plan ensures data integrity and availability. While we leverage multiple Availability Zones (AZs) in AWS and GCP for redundancy, cross-region high availability is currently under development for select environments. Automated failover is supported within AZs at both component and cluster levels.

We deliver enterprise-grade SLAs, with Obsidian’s standard services achieving 99.99% uptime from August 2024 through August 2025—a level of reliability that exceeds typical industry standards. Availability is tracked continuously. Services are designed for high availability, with automated failover within Availability Zones. Incidents are managed promptly to resolve issues quickly, minimize third-party risk, and align with your organization’s risk tolerance.

Obsidian is a SaaS-native platform designed for cloud-first deployment, optimized for global scalability and security.

Yes. We provide comprehensive data export via APIs, including audit logs and configuration changes, in accordance with applicable laws, DPAs, and indexed Terms of Service.