Log inStart free trial

Legal

Informational only

SigIndex compliance signals are informational only and do not constitute a Phase I Environmental Site Assessment (as defined by ASTM E1527), legal advice, or a regulatory determination. SigIndex aggregates public US EPA ECHO data and is not affiliated with the EPA.

Security

Preliminary · last revised June 2026

Security is a first-class concern at SigIndex. This summary describes the practices in place today; it will grow into a fuller policy ahead of general availability.

How we protect your data

  • API keys are hashed at rest. We store only a salted hash and a short prefix for identification — your full key is shown once, at creation, and never again.
  • Encryption in transit. All API and dashboard traffic is served over TLS.
  • Row-level security. Account data is isolated per user at the database level; application writes route through a single audited API tier.
  • Secrets management. Credentials live in environment configuration, never in source control, and are scoped least-privilege per service.
  • Payment isolation. Card data is handled entirely by Stripe; SigIndex never stores it.

Reporting a vulnerability

If you believe you’ve found a security issue, please email security@sigindex.com with steps to reproduce. Please give us a reasonable window to investigate and fix before any public disclosure. We don’t yet run a paid bug-bounty program, but we’re grateful for good-faith reports and will credit them where welcome.

What we’re still building

Formal third-party audits, a published subprocessor change log, and a status page are on the roadmap. This page will be updated as those land.