Your data is safe with us
Protecting customer data is fundamental to how Obvious operates. Security is designed into our systems, processes, and culture—from infrastructure to access controls and vendor risk to incident response. We maintain clear standards and enforce reliable safeguards at every layer of our work.
SOC 2 Type II
Certified
Role-based access
controls & MFA
HIPAA
Ready
Data encrypted in
transit and at rest
ISO 27001
Certified
GDPR & CCPA
Compliant
Obvious is SOC 2 Type II, ISO 27001 certified, and maintains compliance with GDPR and CCPA, offering region-specific data hosting options. We are HIPAA ready for handling protected health information and provide a detailed privacy policy and data processing agreement (DPA) for customers and partners.
AI and automation safety infrastructure security
Obvious’s AI operates entirely within its own infrastructure and does not send customer-uploaded data to third-party AI vendors. We do not use customer data for training external models, and our AI systems do not retain raw customer data for generalized model learning. AI Assist works exclusively on structured metadata and field mapping patterns—not on raw data itself. All AI-generated suggestions, such as field mappings or error resolutions, are customer-controlled and can be accepted, modified, or dismissed at your discretion. Customers can enable or disable AI features in accordance with their internal security policies. To ensure data isolation, each customer’s data is stored in a separate environment with tenant-specific databases that prevent any risk of cross-customer data exposure.
Data encryption and infrastructure security
Obvious is designed for security from the ground up. All data is encrypted in transit and at rest, with isolated databases for each tenant or data upload to ensure strong logical segregation. We host our infrastructure on Amazon Web Services (AWS), using multiple availability zones for redundancy and uptime. Routine backups are fully encrypted and regularly tested to confirm restoration reliability.
Vendor and third-party
risk management
All business critical vendors are evaluated through Flatfile’s third-party risk policy before onboarding, with contracts that require data protection commitments and business continuity assurances. We conduct ongoing monitoring and annual reassessments of critical suppliers to maintain security and operational integrity across our ecosystem.
Application and
endpoint security
Obvious follows OWASP Secure Coding Guidelines and conducts annual third-party penetration testing to validate system integrity. All employee devices run antivirus software, are fully encrypted, and are managed through mobile device management (MDM). We enforce strict controls over removable media, remote access, and endpoint security. Vulnerability management and patching processes are in place across our infrastructure and devices to ensure ongoing protection.
Authentication and
access management
Our platform supports single sign-on (SSO), with multi-factor authentication (MFA) available to strengthen account security. Role-based access control (RBAC) governs permissions across both the platform and administrative functions. We perform annual access reviews and ensure automatic deprovisioning for terminated users to maintain proper access hygiene.
AI and automation safety infrastructure security
Obvious’s AI operates entirely within its own infrastructure and does not send customer-uploaded data to third-party AI vendors. We do not use customer data for training external models, and our AI systems do not retain raw customer data for generalized model learning. AI Assist works exclusively on structured metadata and field mapping patterns—not on raw data itself. All AI-generated suggestions, such as field mappings or error resolutions, are customer-controlled and can be accepted, modified, or dismissed at your discretion. Customers can enable or disable AI features in accordance with their internal security policies. To ensure data isolation, each customer’s data is stored in a separate environment with tenant-specific databases that prevent any risk of cross-customer data exposure.
Data encryption and infrastructure security
Obvious is designed for security from the ground up. All data is encrypted in transit and at rest, with isolated databases for each tenant or data upload to ensure strong logical segregation. We host our infrastructure on Amazon Web Services (AWS), using multiple availability zones for redundancy and uptime. Routine backups are fully encrypted and regularly tested to confirm restoration reliability.
Vendor and third-party risk management
All business critical vendors are evaluated through Flatfile’s third-party risk policy before onboarding, with contracts that require data protection commitments and business continuity assurances. We conduct ongoing monitoring and annual reassessments of critical suppliers to maintain security and operational integrity across our ecosystem.
Application and endpoint security
Obvious follows OWASP Secure Coding Guidelines and conducts annual third-party penetration testing to validate system integrity. All employee devices run antivirus software, are fully encrypted, and are managed through mobile device management (MDM). We enforce strict controls over removable media, remote access, and endpoint security. Vulnerability management and patching processes are in place across our infrastructure and devices to ensure ongoing protection.
Authentication and access management
Our platform supports single sign-on (SSO), with multi-factor authentication (MFA) available to strengthen account security. Role-based access control (RBAC) governs permissions across both the platform and administrative functions. We perform annual access reviews and ensure automatic deprovisioning for terminated users to maintain proper access hygiene.