Obvious
Log inRequest early access

Your data is safe with us

Protecting customer data is fundamental to how Obvious operates. Security is designed into our systems, processes, and culture—from infrastructure to access controls and vendor risk. We maintain clear standards and enforce robust safeguards at every layer of our work.

SOC 2 Type II Certified

SOC 2 Type II
Certified

Role-based access controls & MFA

Role-based access
controls & MFA

HIPAA Ready

HIPAA
Ready

Data encrypted in transit and at rest

Data encrypted in
transit and at rest

ISO 27001 Certified

ISO 27001
Certified

GDPR & CCPA Compliant

GDPR & CCPA
Compliant

Obvious is SOC 2 Type II, ISO 27001 certified, and maintains compliance with GDPR and CCPA, offering region-specific data hosting options. We are HIPAA ready for handling protected health information and provide a detailed privacy policy and data processing agreement (DPA) for customers and partners.

AI and automation safety infrastructure security

Obvious's AI operates entirely within its own infrastructure and does not send customer-uploaded data to third-party AI vendors. We do not use customer data for training external models, and our AI systems do not retain raw customer data for generalized model learning. AI Assist works exclusively on structured metadata and field mapping patterns—not on raw data itself. All AI-generated suggestions, such as field mappings or error resolutions, are customer-controlled and can be accepted, modified, or dismissed at your discretion. Customers can enable or disable AI features in accordance with their internal security policies. To ensure data isolation, each customer's data is stored in a separate environment with tenant-specific databases that prevent any risk of cross-customer data exposure.

Data encryption and infrastructure security

Obvious is designed for security from the ground up. All data is encrypted in transit and at rest, with isolated databases for each tenant or data upload to ensure strong logical segregation. We host our infrastructure on Amazon Web Services (AWS), using multiple availability zones for redundancy and uptime. Routine backups are fully encrypted and regularly tested to confirm restoration reliability.

Vendor and third-party risk management

All business critical vendors are evaluated through Obvious's third-party risk policy before onboarding, with contracts that require data protection commitments and business continuity assurances. We conduct ongoing monitoring and annual reassessments of critical suppliers to maintain security and operational integrity across our ecosystem.

Application and endpoint security

Obvious follows OWASP Secure Coding Guidelines and conducts annual third-party penetration testing to validate system integrity. All employee devices run antivirus software, are fully encrypted, and are managed through mobile device management (MDM). We enforce strict controls over removable media, remote access, and endpoint security. Vulnerability management and patching processes are in place across our infrastructure and devices to ensure ongoing protection.

Authentication and access management

Our platform supports single sign-on (SSO), with multi-factor authentication (MFA) available to strengthen account security. Role-based access control (RBAC) governs permissions across both the platform and administrative functions. We perform annual access reviews and ensure automatic deprovisioning for terminated users to maintain proper access hygiene.