# Trust & security

This page describes how Sumble protects customer data and the systems that process it.

## Infrastructure security

Sumble runs on Google Cloud Platform (GCP) with the following security measures:

* **Encryption in transit.** All data transmitted between clients and Sumble services uses TLS. Internal service-to-service communication is also encrypted.
* **Encryption at rest.** All databases and storage systems use GCP's default encryption at rest.
* **Network isolation.** Production databases are not accessible from the public internet. Access is restricted to authorized services within our GCP project.
* **Access controls.** Internal access to production systems follows the principle of least privilege. Administrative actions are logged to an audit trail.

## Authentication

* **User authentication.** Sumble uses JWT-based authentication. Users sign in with their email address via magic link or SSO (for enterprise customers using [Okta SSO](https://docs.sumble.com/enterprise-services/integrations/okta-sso-oidc)).
* **API authentication.** API access uses bearer tokens generated from the [API keys page](https://sumble.com/account/api-keys). Keys can be revoked at any time.
* **Enterprise SSO.** Organizations on enterprise plans can configure single sign-on through Okta OIDC so that employees authenticate through their corporate identity provider.

## Data handling

* **Customer data isolation.** Each customer's CRM data (accounts, contacts, enrichments) is logically isolated and only accessible to authorized users within that customer's organization.
* **Data retention.** Sumble retains user activity data and enrichment results for the duration of the customer relationship. Data can be deleted upon request.
* **No resale of customer data.** CRM data shared with Sumble for enrichment (account lists, contact lists) is used only for providing enrichment services back to that customer. It is not shared with other customers or sold.

## Compliance

* **SOC 2.** Sumble maintains SOC 2 compliance. Details are available through our trust center.
* **GDPR.** Sumble processes data in accordance with GDPR requirements. People data sourced from public professional profiles is handled in compliance with applicable data protection regulations.

## Responsible AI

Sumble uses machine learning models to extract structured data from job posts (entity extraction, relationship classification, job function classification). These models are trained on job market data and do not process personal communications, private documents, or sensitive personal information. LLMs are used in limited contexts for entity disambiguation and signal title generation, with outputs validated against structured data.

## External resources

* [Trust center](https://trust.sumble.com/) — security documentation, compliance reports, and policies
* [System status](https://status.sumble.com/) — real-time system availability and incident history