Security
How we safeguard your data.
At Index, safeguarding your data is our top priority. We implement robust security measures to ensure your information remains protected at all times.
Credentials Encryption
All user credentials are encrypted at rest using advanced encryption standards. This means that when your credentials are stored on our servers, they are transformed into a secure format that unauthorized parties cannot easily decipher. Google Cloud employs the Advanced Encryption Standard (AES) algorithm for encrypting data at rest, with AES-256 being the default encryption method.
Data Caching
To enhance your user experience, we cache data within our Google Cloud Platform instance for a duration of 6 hours. This caching mechanism allows for quicker data retrieval and improved performance. It’s important to note that data cached in Cloud Storage is encrypted at the storage level using Data Encryption Keys (DEKs), which utilize AES-256 by default.
Commitment to Security
We continuously monitor and update our security practices to align with industry standards and best practices (beyond what’s required for our SOC-II certification). Our team is dedicated to ensuring that your data remains confidential, integral, and available whenever you need it.
For any questions or concerns about our security measures, please contact our support team (support@index.app).
GDPR Compliance
Roles
For EU personal data, Index is a data processor. Customers are data controllers.
Lawful Basis
Processing is limited to what is necessary to deliver contracted services. We rely on legitimate interest and contractual necessity.
Data Processing Addendum
Our Data Processing Addendum (DPA) incorporates the latest Standard Contractual Clauses (SCCs) for transfers outside the EEA. It is pre-signed and ready to execute electronically.
Data Subject Rights
We support:
- Access
- Rectification
- Erasure
- Restriction
- Portability
- Objection
Requests are handled within 30 days.
Sub-processors
We maintain a public list of sub-processors with notice of changes at least 30 days prior to onboarding a new provider.
Security
Controls mirror those listed for HIPAA and are mapped to GDPR Article 32 requirements for confidentiality, integrity, and availability.
Data Retention
By default we retain customer data for 30 days after contract termination, followed by secure deletion.
HIPAA Compliance
Scope
Index acts as a Business Associate for covered entities that store or analyze protected health information (PHI) in our platform.
Safeguards
| Category | Key controls we enforce |
|---|---|
| Administrative | annual risk assessment, workforce training, incident response plan |
| Technical | AES-256 encryption at rest, TLS 1.3 in transit, role-based access, audit logging |
| Physical | Tier-3 data centers with 24/7 guards, biometric access, CCTV |
Business Associate Agreement (BAA)
We provide a HIPAA‑compliant BAA and will execute it with any customer that needs one. Our standard BAA is available upon request and includes:
- permitted uses and disclosures
- breach notification timelines
- subcontractor obligations
Breach Notification
If a security incident affects PHI, we notify customers within 48 hours of discovery, detailing scope and remediation.
Independent Audits & Certifications
- SOC 2 Type II report issued by TrustedSec (latest period: Apr 2024 - Mar 2025)
- Annual penetration tests performed by a CREST-certified firm
- ISO 27001 certification in progress (expected Q4 2025)