Security and compliance

Security by design.

Maestro reads what it needs to conduct your day, writes back what you tell it, and stores almost nothing. Your data lives in the source tools — exactly where you put it.

See certifications Email our security team

SOC 2 Type II

GDPR ready

ISO 27001

HIPAA-aware

UK Data Protection Act

CCPA

Encryption everywhere

TLS 1.3 in transit. AES-256 at rest. Per-customer encryption keys on the Enterprise plan, with optional bring-your-own-key via AWS KMS or GCP KMS.

Role-based access

Fine-grained RBAC out of the box. SSO via SAML or OIDC on Enterprise. SCIM provisioning for automated joiner-mover-leaver flows.

Full audit log

Every read, every write-back, every admin change. Streamed to your SIEM via webhook or S3. Retained 30 days on Team, unlimited on Enterprise.

Control	Solo	Team	Enterprise
Compliance certifications
SOC 2 Type II report	✓	✓	✓
ISO 27001 certified	✓	✓	✓
GDPR + UK DPA	✓	✓	✓
HIPAA BAA available	—	—	✓
Identity and access
Single sign-on (SAML / OIDC)	—	—	✓
SCIM provisioning	—	—	✓
Multi-factor authentication	✓	✓	✓ (enforced)
Role-based access control	basic	full	full + custom roles
Data and encryption
TLS 1.3 in transit	✓	✓	✓
AES-256 at rest	✓	✓	✓
Customer-managed keys (BYOK)	—	—	✓
Data residency (EU / US-East / APAC)	EU	EU	choose
Audit and observability
Audit log retention	—	30 days	unlimited + S3
SIEM webhook stream	—	—	✓
Quarterly penetration tests	✓	✓	✓ (shared report)

Security FAQ

Common questions, plain answers.

Grouped by data handling, access, and compliance. For anything not covered here, email security@maestro.example.

Data handling

What data does Maestro store?

Metadata only — task IDs, event IDs, timestamps, and the references needed to orchestrate. The actual content of your tasks, docs, and messages stays in the source tools. Maestro reads on demand and writes back when you ask it to.

Do you train AI on our data?

No. Customer data is never used to train any model. Maestro AI runs read-only queries against your own connected tools, scoped to the user asking.

Where is data stored?

EU (Frankfurt) by default. US-East and APAC available on Enterprise. Choose at workspace-creation; we'll migrate on request.

Access and audit

Who at Maestro can see my data?

Production access is restricted to a four-person on-call rotation, MFA-enforced, and logged. Every access is recorded in your audit log — you see when we look.

How do we revoke access?

Disconnect a tool with one click. The OAuth scope is revoked immediately and Maestro deletes the cached metadata within 24 hours.

Compliance and contracts

Can we get a DPA?

Yes — standard DPA available on signup. Custom DPAs for Enterprise. Sub-processors are listed in the trust center and notified 30 days before any change.

Do you sign BAAs for HIPAA?

Yes, on Enterprise plans. Talk to sales — we'll send the BAA before the first technical conversation.