Security & Trust
Lead and client data is sensitive on a different scale than typical SaaS.
NorthernPlus is built so that staying compliant is the path of least resistance, not a separate workstream. Below is an honest snapshot of where we are, where we’re heading, and how we handle data for your business and the customers it serves. We built first to the legal industry's compliance bar, one of the most demanding there is. That same posture now protects every company we serve, whatever the industry.
Compliance posture
Where we are today.
We don’t oversell what we have. Here’s the current state, item by item.
SOC 2 Type II
Audit window underway. We can share our current control framework, monitoring posture, and progress under NDA during a procurement review.
HIPAA-aligned posture
Encryption, access controls, audit logging, and data segregation align with HIPAA Security Rule requirements. BAA execution available on the Advanced tier; full BAA-eligible posture across all subprocessors on roadmap.
Encryption in transit
TLS 1.3 across every surface: client intake, admin console, voice agent, and integrations. No exceptions.
Encryption at rest
AES-256 at rest across application database, file storage, and backups. Field-level encryption for sensitive intake data on roadmap.
Right to be forgotten
Two-click client redaction for GDPR and CCPA requests. PII is scrubbed in place; engagement audit trails are preserved per your industry's recordkeeping requirements (bar association for legal customers, HIPAA-covered entities where applicable).
Penetration testing
Independent third-party penetration test scheduled before general availability. Report available to enterprise customers under NDA on completion.
How we handle your data
The protections, in plain language.
Authentication
Email and password for admin access. Magic-link tokens for client intake, hashed at rest, with 14-day sliding expiry and instant revocation.
Tenant isolation
Every workspace’s data is scoped at the database query layer. Cross-tenant access is impossible by construction, not by convention.
Audit logging
Every field edit, override, routing decision, and admin action recorded with editor, timestamp, and version. Exportable for compliance review (bar association, HIPAA, vendor audit, etc.).
Voice call recording
Recordings and transcripts encrypted at rest. Retention configurable per workspace. TCPA-compliant consent capture at call start.
Subprocessor list
Available on request and updated when material changes occur. We notify customers in advance of any subprocessor change that affects data handling.
Data residency
US data centers by default. EU residency for Advanced-tier customers with the requirement.
Backup & recovery
Continuous database replication. Off-platform encrypted backups with 30-day retention and tested restore procedures.
SSO & access reviews
SAML and OIDC SSO (Google, Microsoft, Okta) plus quarterly automated access reviews on the Advanced tier.
Reporting a vulnerability
If you discover a vulnerability, please report it directly to security@northernplus.com. We acknowledge reports within one business day, triage within three, and disclose responsibly with credit to the reporter when desired.
We do not pursue legal action against good-faith security research conducted under standard responsible-disclosure norms.
Vendor questionnaire?
We respond to security and procurement questionnaires within five business days. Bring yours to your demo or send it ahead at security@northernplus.com.