At Index, safeguarding your data is our top priority. We implement robust security measures to ensure your information remains protected at all times.

Credentials Encryption

All user credentials are encrypted at rest using advanced encryption standards. This means that when your credentials are stored on our servers, they are transformed into a secure format that unauthorized parties cannot easily decipher. Google Cloud employs the Advanced Encryption Standard (AES) algorithm for encrypting data at rest, with AES-256 being the default encryption method.

Data Caching

To enhance your user experience, we cache data within our Google Cloud Platform instance for a duration of 6 hours. This caching mechanism allows for quicker data retrieval and improved performance. It’s important to note that data cached in Cloud Storage is encrypted at the storage level using Data Encryption Keys (DEKs), which utilize AES-256 by default.

Commitment to Security

We continuously monitor and update our security practices to align with industry standards and best practices (beyond what’s required for our SOC-II certification). Our team is dedicated to ensuring that your data remains confidential, integral, and available whenever you need it. For any questions or concerns about our security measures, please contact our support team (support@index.app).

GDPR Compliance

Roles

For EU personal data, Index is a data processor. Customers are data controllers.

Lawful Basis

Processing is limited to what is necessary to deliver contracted services. We rely on legitimate interest and contractual necessity.

Data Processing Addendum

Our Data Processing Addendum (DPA) incorporates the latest Standard Contractual Clauses (SCCs) for transfers outside the EEA. It is pre-signed and ready to execute electronically.

Data Subject Rights

We support:
  • Access
  • Rectification
  • Erasure
  • Restriction
  • Portability
  • Objection
Requests are handled within 30 days.

Sub-processors

We maintain a public list of sub-processors with notice of changes at least 30 days prior to onboarding a new provider.

Security

Controls mirror those listed for HIPAA and are mapped to GDPR Article 32 requirements for confidentiality, integrity, and availability.

Data Retention

By default we retain customer data for 30 days after contract termination, followed by secure deletion.

HIPAA Compliance

Scope

Index acts as a Business Associate for covered entities that store or analyze protected health information (PHI) in our platform.

Safeguards

CategoryKey controls we enforce
Administrativeannual risk assessment, workforce training, incident response plan
TechnicalAES-256 encryption at rest, TLS 1.3 in transit, role-based access, audit logging
PhysicalTier-3 data centers with 24/7 guards, biometric access, CCTV

Business Associate Agreement (BAA)

We provide a HIPAA‑compliant BAA and will execute it with any customer that needs one. Our standard BAA is available upon request and includes:
  • permitted uses and disclosures
  • breach notification timelines
  • subcontractor obligations

Breach Notification

If a security incident affects PHI, we notify customers within 48 hours of discovery, detailing scope and remediation.

Independent Audits & Certifications

  • SOC 2 Type II report issued by TrustedSec (latest period: Apr 2024 - Mar 2025)
  • Annual penetration tests performed by a CREST-certified firm
  • ISO 27001 certification in progress (expected Q4 2025)