Safe, secure, and yours.
Genuics is built on SOC 2 Type II and HIPAA-eligible infrastructure, with strong defaults out of the box and enterprise controls when you need them. Your data stays yours, and it is never used to train AI models.
Audited infrastructure, sensible defaults.
Genuics itself is not yet independently SOC 2 certified. We rely on the underlying providers, Neon and Google Cloud, both of which carry SOC 2 Type II reports and HIPAA eligibility. We can route any of that documentation to your security team for review.
SOC 2 Type II infrastructure
Genuics runs on Neon (Postgres) and Google Cloud, both independently audited under SOC 2 Type II. Reports available for Enterprise on request.
HIPAA-ready architecture
Built on HIPAA-eligible infrastructure. Business Associate Agreements available for Enterprise customers handling protected health information.
GDPR aligned
Data Processing Agreement available, lawful-basis processing, and explicit data export and deletion on request. See our DPA for the full posture.
Audit logs
Every meaningful action — sign-ins, permission changes, data uploads, role updates, ownership transfer — is recorded with actor, timestamp, and outcome.
Encryption in transit and at rest
TLS 1.2+ on every connection. Postgres storage and object storage are encrypted at rest by the underlying providers, with keys managed by Google.
Cloud-native infrastructure
Stateless services on Cloud Run, managed Postgres on Neon, object storage on GCS. No customer-operated servers, no patch lag.
Strong by default, stricter on demand.
Free workspaces get the same auth primitives as Enterprise: 2FA, email OTP, SSO via Google. Enterprise adds mandatory enforcement, additional OIDC providers, and login restrictions.
Single sign-on
Sign in with Google, or any OIDC-compliant identity provider on Enterprise. Note: SAML and SCIM are not currently supported.
Two-factor authentication
TOTP authenticator apps and email OTP, available on every plan and configurable per user.
Email OTP login
Code-based passwordless login instead of magic links, which avoids the email-link interception risks of traditional magic-link auth.
Mandatory 2FA
Org admins can require every member to enroll in 2FA. Members without it are locked out of the workspace until they enroll.
Decide what each member can see and do.
Roles, private teams, and guest accounts let you scope access to the smallest possible audience. Combine them with audit logs and you can answer the only question that matters in a security review: who saw what, when.
Role-based access control
Built-in Owner, Admin, Editor, and Viewer roles, plus custom roles with granular permissions per dataset, dashboard, and case workspace.
Private teams
Restrict datasets, dashboards, and case workspaces to a specific team. Invisible to anyone outside that team, even other admins.
Guest accounts
Invite stakeholders, clients, or contractors with read-only access scoped to specific dashboards. No license cost, no full workspace access.
Login restrictions
Restrict sign-in by email domain or by SSO provider. Combine with mandatory 2FA to lock the workspace down to one sanctioned auth path.
Admin controls
Invite, deactivate, and offboard members from one place. Deactivation preserves audit history without ever deleting evidence.
Ownership transfer
Transfer the workspace to a new owner without losing data, billing continuity, or audit history. Useful when staff change or roles rotate.
Isolated, redacted, and never used to train models.
Tenancy is enforced in the database, not just in the application. PII is stripped on the way in. AI features run under a contract that prohibits training on your data.
Multi-tenant isolation
Every row in every table is scoped by organization ID, with row-level security policies on sensitive tables. One workspace cannot read another, by construction.
PII redaction at ingest
Common patterns like emails, phone numbers, credit cards, and SSNs are automatically redacted on upload, so PII never reaches the AI layer.
Signed upload URLs
CSV uploads use short-lived, write-only, org-scoped signed URLs. Files land in a namespace only your workspace can read.
Org-scoped storage
Files in object storage are pathed by organization ID. The application layer cannot construct a path that crosses tenant boundaries.
AI privacy
Your data is never used to train Genuics models or any third-party model. Inference happens through Google Vertex AI under a no-training contract.
Export and deletion
Export your data at any time. Request deletion from your account or in writing, and we honor it on the timeline set out in the DPA.
Questions for our security team?
Email security@genuics.com to request SOC 2 documentation, a BAA, our DPA, or a vendor-assessment questionnaire response.