Skip to main content
Modem connects to your team’s communication and development tools to aggregate user feedback. That means we handle your data carefully. This page explains what we do to keep it safe.
Full policy documents are available on request. Contact support@modem.dev for compliance documentation.

Compliance

We are pursuing SOC 2 Type II certification. Contact us for details on progress and timeline.

Data Protection

  • Encryption. All data is encrypted at rest and in transit using TLS 1.2+. This covers messages, user profiles, and any files Modem processes.
  • Access controls. Employees only access customer data when there is a documented business need. All production access requires multi-factor authentication and is logged.
  • Assessments. We run quarterly vulnerability scans on public-facing systems and annual penetration tests by independent firms.

Data Access and Sharing

No third-party data sharing. We do not sell or share your data with third parties for their own purposes. Data is only shared with service providers necessary to operate Modem.

Technical Safeguards

  • Tenant isolation. Database queries pass through an application-level ORM wrapper that enforces organization-scoped filtering. PostgreSQL Row-Level Security policies provide a second layer of enforcement at the database level, preventing cross-tenant access even in the event of an application bug.
  • Token encryption. OAuth tokens from connected services (Slack, GitHub, Linear) are encrypted at rest using AES-256-GCM with per-token initialization vectors before being stored in the database.
  • Signed media URLs. When Modem proxies images or files from third-party services, it uses HMAC-SHA256 signed URLs with time-limited expiry. The original source URLs are never exposed to the browser.
  • Webhook verification. Inbound webhooks from GitHub, Linear, and other services are verified using HMAC-SHA256 signature checks with constant-time comparison before processing.
  • Minimal access. Integrations with third-party services only request the scopes necessary for the product to function.
  • Input validation. All API inputs are validated against strict schemas at the boundary before reaching application logic.

Data Retention

  • During your subscription. We retain data for the duration of your paid subscription plus a reasonable period for account recovery.
  • After cancellation. Upon cancellation of your paid plan or at your request, data is permanently deleted from our databases. Backups follow the same retention and deletion policies.

Incident Response

If we discover a security incident affecting your data, we notify you as soon as reasonably possible with details about what happened and what we are doing about it. We comply with all applicable breach notification laws. After any incident, we conduct a review to identify root causes and prevent recurrence.

Reporting a Vulnerability

If you discover a potential security vulnerability, report it to security@modem.dev. We appreciate responsible disclosure and do not take legal action against researchers who act in good faith.