Security for research your team can review.
Signals keeps your questions, sources, and conclusions under your control. Identity, access, AI routing, and run records are designed for teams with real reviewers.
This page summarizes the security posture of the Signals platform. For a vendor questionnaire, sub-processor list, or a draft DPA, contact us through the contact page.
Identity and access
- SSO via WorkOS. All authenticated access is brokered by WorkOS AuthKit. Enterprise customers can connect their own identity provider (Okta, Entra ID, Google Workspace, and others) for SAML/OIDC SSO and SCIM directory sync.
- Role-based access. Workspace access is scoped per organization, with admin, editor, viewer, and guest roles. Editors and admins consume paid seats; viewers and guests are free and read-only.
- Least privilege. Backend functions enforce membership and role checks before reading or changing Workspace data. There is no shared database surface across organizations.
- Session management. Sessions are short-lived and revocable through your IdP.
Data protection
- In transit. All traffic is served over TLS. Internal calls between Signals, Convex, and AI providers are encrypted in transit.
- At rest.Workspace data is stored in Convex’s managed infrastructure with encryption at rest. Object storage uses provider-managed encryption keys.
- Isolation.Each customer organization is a first-class tenant boundary in the data model. Access checks reference the caller’s membership and role on every request.
- Backups. Convex performs continuous backups with point-in-time recovery. Workspace data can be exported on request.
AI routing: we orchestrate models, we don't train them
Signals orchestrates third-party AI models and does not train its own. We route prompts and Workspace context, through Vercel AI Gateway, to the model your workflow specifies. AI usage is included in your plan up to its monthly allowance, and the upstream provider processes the call under its own API terms.
- No training on your data. We do not use customer prompts, outputs, or Workspace content to train models.
- Provider choice. Workspace admins can restrict which models are available to their users via the model catalog.
- Reviewable runs. Each generation is recorded against a Workflow Run with the model, prompt, sources, and outputs preserved for review.
Sub-processors
We rely on a short list of infrastructure providers to operate Signals. Material changes are announced before they take effect for paid plans.
| Provider | Role | Notes |
|---|---|---|
| WorkOS | Identity & access | SSO, directory sync, and session management. SOC 2 Type II. |
| Convex | Application database & functions | Authenticated reads/writes with row-level access enforced in code. SOC 2 Type II. |
| Vercel | Hosting & edge delivery | TLS termination, DDoS mitigation, and global delivery. SOC 2 Type II. |
| Vercel AI Gateway | AI model routing | Routes prompts to upstream providers (OpenAI, Anthropic, Google). Configurable per Workspace. |
Compliance and assurance
- Sub-processor certifications. Our primary infrastructure providers (WorkOS, Convex, Vercel) maintain SOC 2 Type II reports. We can share their reports under NDA.
- Envisioning’s posture. Signals itself is not yet SOC 2 certified. We are operating to SOC 2 aligned controls and can walk enterprise prospects through our current readiness on request.
- GDPR / UK GDPR. We support data subject access, correction, and deletion requests as described in our privacy policy. A data processing addendum is available on request.
Vulnerability disclosure
If you believe you’ve found a security issue, please report it through the contact page. We acknowledge reports within two business days. Please do not publicly disclose issues until we’ve had a chance to respond. We do not currently operate a paid bug bounty, but we credit reporters who request it.
Contact
Security, compliance, or procurement questions go through the contact page. We’ll route you to the right person at Envisioning.
Common questions
Is my research data used to train AI models?
No. The questions you ask, the sources you cite, and the conclusions you draw are not used to train models, yours or anyone else's. Prompts route to upstream providers only to run your scan, and they aren't retained for training.
Can I use my own private or proprietary data?
Not by upload, and that's deliberate. Signals works from public, API-accessible sources only, so your proprietary datasets and documents never get loaded into it. If you want to combine signals with internal data, the common approach is to export the signals as a spreadsheet and bring them together privately on your side.
Who can see my workspace data?
Only the people you invite. Access is enforced per Workspace, with reads and writes authorized in code rather than left to convention. Identity and sessions run through WorkOS, so SSO and directory rules from your side carry through.
Where is my data hosted, and who are your subprocessors?
Application data lives in Convex; hosting and edge delivery run on Vercel; identity is handled by WorkOS, each SOC 2 Type II. AI prompts route through the Vercel AI Gateway to the major model providers. The Security page lists the full set, and we'll share the questionnaire on request.
Do you offer a DPA?
Yes. A data processing addendum is available on request, and we support GDPR / UK GDPR data subject access, correction, and deletion requests. Use the Contact page and we'll send the current draft.
Are you SOC 2 compliant?
Signals is built on SOC 2 Type II infrastructure. WorkOS, Convex, and Vercel are each independently audited. For our security posture, sub-processor list, or a vendor questionnaire, use the Contact page and we'll route you to the right person.
Can I pay by invoice or purchase order?
Invoicing is available on annual plans only. Annual subscriptions can pay by NET 30 bank transfer or PO, with the commercial terms your reviewers need. Monthly plans are billed to a card. The Procurement page gathers billing, tax, and security information in one place.