Security
Security at Weavely
Last updated: April 2026
Weavely is the data warehouse your agency's marketing data lives in. That data — client campaign performance, customer identifiers, conversion events, spend across dozens of ad platforms — is some of the most sensitive information you handle. Protecting it isn't a feature we bolted on; it's the foundation the product is built on.
This page documents the controls, certifications, and practices that protect Weavely, your agency, and the client data you entrust to us. If you need documentation that isn't linked here, email security@weavely.com — most of our policies, audit reports, and questionnaires are available under NDA through our Trust Center.
Our security program at a glance
Weavely's security program is built on the principles of defense in depth, least privilege, and zero trust. We assume any single control can fail, so we layer technical safeguards, organizational policies, and continuous monitoring so that a failure at one layer is caught at another. Our program is modeled on the NIST Cybersecurity Framework and audited against SOC 2 and ISO 27001 standards.
The program is owned by our Chief Information Security Officer and is reviewed at least quarterly by Weavely's executive team. Every engineer at Weavely is expected to own security outcomes within their area — security is a company-wide discipline, not a separate team's problem.
Compliance and certifications
Weavely maintains the following certifications and attestations, independently audited by accredited third parties:
SOC 2 Type II. Weavely is audited annually against the AICPA's Trust Services Criteria for Security, Availability, and Confidentiality. Our most recent SOC 2 Type II report is available to customers and prospects under NDA via the Trust Center.
ISO/IEC 27001. Weavely's Information Security Management System is certified against ISO 27001, the international standard for information security management. Our certificate and Statement of Applicability are available on request.
GDPR. Weavely processes personal data in compliance with the EU General Data Protection Regulation. We sign a Data Processing Addendum (DPA) with every customer, incorporating the European Commission's Standard Contractual Clauses (SCCs) for international transfers and the UK International Data Transfer Addendum where applicable.
CCPA / CPRA. Weavely complies with the California Consumer Privacy Act as amended by the CPRA, and acts as a "service provider" under the statute with respect to customer data.
HIPAA (available on request). For agencies with healthcare clients, Weavely can execute a Business Associate Agreement (BAA) on enterprise plans. Our infrastructure supports the Administrative, Physical, and Technical Safeguards required under the HIPAA Security Rule.
Additional frameworks. Weavely aligns with CIS Critical Security Controls, OWASP Application Security Verification Standard (ASVS) Level 2, and the Cloud Security Alliance's CAIQ. A completed CAIQ is available through our Trust Center.
Infrastructure security
Cloud hosting. Weavely runs entirely on [Amazon Web Services / your cloud provider] in SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, and PCI DSS-compliant data centers. We do not operate any physical infrastructure of our own — physical, environmental, and hardware controls are inherited from our cloud provider and reviewed during their independent audits.
Data residency. Customer data is stored in the region you select at provisioning time. We currently offer US (us-east-1, us-west-2), EU (eu-west-1, eu-central-1), and APAC (ap-southeast-2) regions. Data never leaves the region you choose unless you explicitly configure cross-region replication.
Network architecture. Production workloads run inside isolated Virtual Private Clouds with no direct internet exposure. All ingress is routed through a Web Application Firewall (AWS WAF) with managed rulesets covering the OWASP Top 10, plus custom rules tuned to Weavely's traffic patterns. DDoS protection is provided by AWS Shield Advanced.
Segmentation. Production, staging, and development environments are fully segregated at the account and network level. No production data is ever copied into lower environments; our engineers work against synthetic datasets.
High availability. Weavely is deployed across a minimum of three Availability Zones within each region, with automated failover for our compute, database, and object storage layers. Our target availability is 99.9% uptime, with real-time status available at status.weavely.com.
Data protection and encryption
Encryption in transit. All traffic between your browser, our connectors, our APIs, and your warehouse is encrypted using TLS 1.2 or higher with modern cipher suites. We enforce HSTS, disable legacy protocols (SSLv3, TLS 1.0, TLS 1.1), and use certificates issued by publicly trusted Certificate Authorities with automated rotation.
Encryption at rest. All customer data at rest — in our primary databases, data warehouse storage, backups, logs, and object storage — is encrypted using AES-256. Encryption keys are managed by AWS KMS with envelope encryption, and key material is never exposed to Weavely engineers or stored in application code or configuration.
Customer-managed keys (CMK). Enterprise customers can bring their own KMS key (BYOK) for encrypting warehouse storage, giving you the ability to revoke Weavely's access to your data at any time.
Tenant isolation. Weavely is a multi-tenant platform with strict logical isolation. Every database query, API request, and background job is scoped to a tenant identifier that is enforced at the application, database, and object-storage layers. We run automated tests on every deploy that attempt cross-tenant access and fail the build if any succeed.
Data minimization. Our marketing platform connectors request the narrowest OAuth scopes necessary to ingest the metrics you've selected. You can review, modify, or revoke connector permissions from your Weavely dashboard at any time.
Data deletion. When you delete a dataset, connector, or account, the corresponding data is marked for deletion immediately and purged from primary storage within 30 days and from encrypted backups within 90 days. On request, we provide written confirmation of deletion.
Identity and access management
For your team
Single Sign-On (SSO). Weavely supports SAML 2.0 SSO with all major identity providers, including Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, OneLogin, JumpCloud, and Ping. SSO is included on all business and enterprise plans — we don't charge an "SSO tax."
SCIM user provisioning. Enterprise plans support SCIM 2.0 for automated user provisioning, deprovisioning, and group-to-role mapping from your IdP.
Multi-factor authentication (MFA). MFA is available for all users and can be enforced organization-wide by administrators. We support TOTP authenticator apps and FIDO2/WebAuthn security keys. We do not support SMS as a second factor due to SIM-swap risk.
Role-based access control (RBAC). Weavely provides granular roles (Admin, Editor, Analyst, Viewer, Billing) plus the ability to define custom roles and scope access down to individual clients, workspaces, and data sources.
Session management. Sessions expire after a configurable period of inactivity (default: 12 hours) and are invalidated on password change, role change, or administrator request. Administrators can force-log-out any user from the audit dashboard.
Audit logs. Every meaningful action in Weavely — logins, permission changes, connector configuration, query execution, data exports — is logged with the actor, timestamp, source IP, and affected resource. Audit logs are retained for 12 months by default (longer on enterprise plans) and can be streamed to your SIEM via webhook or to an S3 bucket you own.
For Weavely employees
Least privilege. Weavely employees receive only the access required for their role, granted through automated workflows tied to their HR record. Access is reviewed quarterly.
No standing production access. No Weavely engineer has standing access to customer data. Production access is granted just-in-time through an approval workflow, is scoped to a specific incident or ticket, expires automatically, and is fully logged and monitored. Every session is recorded and available for customer review on request for enterprise accounts.
Hardware-backed MFA. All Weavely employees use FIDO2 security keys as their second factor for every internal system.
Managed devices. Every Weavely employee works from a company-managed laptop with full-disk encryption, EDR (endpoint detection and response), automated patching, and remote-wipe capability. Personal devices cannot access production systems.
Application security
Secure SDLC. Security is integrated into every phase of development. Features are threat-modeled during design, reviewed by a second engineer before merge, scanned automatically on every pull request, and subject to security sign-off before any user-facing release that touches authentication, authorization, or data handling.
Static and dynamic analysis. Every pull request runs through SAST (static application security testing) and SCA (software composition analysis) tools that block merges on high-severity findings. We run DAST (dynamic analysis) against staging environments weekly.
Dependency management. We continuously monitor open-source dependencies for known vulnerabilities using automated tooling and apply patches within defined SLAs: critical vulnerabilities within 24 hours, high within 7 days, medium within 30 days.
Secrets management. API keys, database credentials, and connector tokens are stored in a dedicated secrets manager (AWS Secrets Manager / HashiCorp Vault), never in source code or configuration files. All secrets are rotated on a defined schedule and immediately on employee offboarding.
Penetration testing. Weavely engages an independent third-party firm to conduct full-scope penetration tests at least annually, covering our web application, public APIs, and cloud infrastructure. Executive summaries are available to customers under NDA. Any high or critical findings are remediated before the engagement closes.
Bug bounty program. Weavely runs a private bug bounty program through [HackerOne / Bugcrowd / your provider] and rewards external researchers who responsibly disclose vulnerabilities. See "Responsible disclosure" below for details.
Monitoring, detection, and incident response
24/7 monitoring. Production systems are monitored continuously by an on-call engineering team and a security operations function. Metrics, logs, and traces are aggregated into our observability stack; security events are forwarded to our SIEM for correlation and alerting.
Threat detection. We use cloud-native threat detection (GuardDuty, CloudTrail analysis, VPC flow logs) combined with application-layer anomaly detection to identify suspicious behavior such as unusual data exfiltration patterns, impossible-travel logins, and privilege escalation attempts.
Incident response plan. Weavely maintains a documented Incident Response Plan aligned with NIST SP 800-61. The plan defines severity levels, roles, communication workflows, and post-incident review requirements. We run tabletop exercises at least twice a year and a full-scale simulation annually.
Breach notification. In the event of a confirmed security incident involving customer data, Weavely will notify affected customers without undue delay and no later than 72 hours after becoming aware, in accordance with GDPR Article 33 and our Data Processing Addendum. Notifications include the nature of the incident, the data affected, measures taken, and the customer contact for follow-up.
Business continuity and disaster recovery
Backups. Weavely performs continuous, point-in-time backups of all primary databases with a retention window of 35 days. Warehouse storage is replicated across multiple Availability Zones, and critical data is additionally backed up to a separate region for disaster recovery.
Recovery objectives. Our published targets are a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour for a full regional outage. Historical performance has consistently beaten both targets.
DR testing. We conduct documented disaster recovery exercises at least twice per year, including full restoration from backups into an isolated environment. Results are reviewed by leadership and remediated findings are tracked to closure.
Resilience engineering. Weavely practices chaos engineering in lower environments, proactively injecting failures to validate that our systems degrade gracefully and our runbooks are accurate.
Privacy and data governance
Data Processing Addendum. Weavely signs a DPA with every customer that incorporates the latest EU Standard Contractual Clauses, the UK IDTA, and Swiss amendments where applicable. The DPA is available at weavely.com/legal/dpa and can be executed electronically.
Subprocessors. We maintain a current list of subprocessors at weavely.com/legal/subprocessors. Customers can subscribe to be notified at least 30 days before any new subprocessor is engaged, providing an opportunity to object.
Data subject requests. We provide tooling and APIs to help you respond to data subject access, correction, and deletion requests under GDPR, CCPA, and other privacy regulations within statutory timelines.
Data retention. Customer data is retained for the duration of your subscription plus a grace period (typically 30 days) after termination, after which it is permanently deleted unless a longer retention period is contractually required.
We don't sell data. Weavely does not sell, rent, or share customer data with third parties for advertising or marketing purposes. We don't use your data to train machine learning models that benefit other customers. Your data is used only to deliver the Weavely service to you.
Personnel security
Background checks. Every Weavely employee and contractor with access to production systems or customer data undergoes a background check at hire, to the extent permitted by local law.
Confidentiality. All employees sign confidentiality and IP assignment agreements as a condition of employment and are bound by our Code of Conduct and Acceptable Use Policy.
Security training. All employees complete security and privacy awareness training at onboarding and annually thereafter. Engineers receive additional role-specific secure-coding training. We run internal phishing simulations quarterly.
Offboarding. When an employee departs, all access is revoked within one hour of their employment end time through our automated offboarding workflow, and their devices are recovered and wiped.
Vendor and supply chain security
Weavely maintains a formal Vendor Risk Management program. Before onboarding any vendor who will process customer data, we review their SOC 2 or ISO 27001 report, data processing practices, and security questionnaire responses. High-risk vendors are re-assessed annually. We require DPAs with every subprocessor and flow down relevant obligations from our customer agreements.
We monitor our software supply chain using SBOM generation, signed artifacts, and continuous vulnerability scanning of container images and build dependencies.
Customer security controls
Security is a shared responsibility. Weavely provides the following controls so your team can apply your organization's security policies:
SAML SSO with any standards-compliant IdP, included on all paid plans
SCIM 2.0 provisioning and deprovisioning on enterprise plans
Enforced MFA, session timeout, and password policy settings
Fine-grained RBAC with custom roles and per-workspace scoping
IP allowlisting and egress controls on enterprise plans
Full audit logs with SIEM streaming
Customer-managed encryption keys (BYOK) on enterprise plans
Data residency selection across US, EU, and APAC regions
Connector-level permissions and OAuth scope transparency
Configurable data retention and on-demand deletion
Responsible disclosure
We're grateful to the security research community for helping keep Weavely safe. If you believe you've found a vulnerability, please report it to security@weavely.com (PGP key available at weavely.com/.well-known/security.txt).
What we ask. Give us a reasonable time to respond and remediate before public disclosure, don't access customer data beyond what's necessary to demonstrate the issue, don't perform testing that could degrade service for other customers, and avoid social engineering, phishing, or physical attacks.
What you can expect. We acknowledge reports within one business day, provide an initial assessment within five business days, and keep you updated through remediation. We will not pursue legal action against researchers who act in good faith and follow our policy. Qualifying vulnerabilities are eligible for rewards through our bug bounty program.
A full scope and rules-of-engagement document is available at weavely.com/security/responsible-disclosure.
Trust Center and documentation
The following materials are available to customers and qualified prospects through our Trust Center at trust.weavely.com:
SOC 2 Type II report
ISO 27001 certificate and Statement of Applicability
Penetration test executive summary
CAIQ and SIG Lite questionnaires
Data Processing Addendum and Standard Contractual Clauses
Subprocessor list with change notifications
Business Continuity and Disaster Recovery Plan summary
Information Security Policy summary
Most documents are available under a click-through NDA. For custom security reviews, questionnaires, or architecture deep-dives, contact your account team or security@weavely.com.
Contact
General security questions: security@weavely.com Vulnerability reports: security@weavely.com (PGP: weavely.com/.well-known/security.txt) Privacy and data subject requests: privacy@weavely.com Law enforcement requests: legal@weavely.com Status and incidents: status.weavely.com
Weavely Ltdinc. · 71-75 Shelton Street, London, WC2H 9JQ, United Kingdom
Own your marketing data. Scale without limits.