Executive summary
Weld moves data securely between your systems and your warehouse with a defense-in-depth approach: strong encryption (in transit and at rest), least-privilege access, secure SDLC, rigorous monitoring, and audited controls. We minimize data handling, prefer ephemeral processing, and keep transparent evidence for your procurement teams.
End-to-end encryption
TLS 1.2+ in transit; strong at rest.
Least-privilege access
RBAC, SSO/MFA, audited elevation.
Secure SDLC
Reviews, SCA, scanning, staged deploys.
Transparency
Public policies, evidence on request.
Data flow & architecture
Weld extracts from approved sources, transports via secure channels, and loads into your destination (e.g., Snowflake, BigQuery, Databricks, Postgres). Processing is ephemeral, and customer data is not retained beyond what’s required to perform the sync.
Sources
Apps / DBs / Files
Weld (ETL)
Ephemeral processing
Destination
Warehouse / Lakehouse
- EU hosting options; Frankfurt preferred for EU customers.
- Private subnets for core services; public ingress via hardened gateways.
- Secrets in managed KMS; zero secrets in code or repos.
Encryption
- TLS 1.2+ for all connections; HSTS enforced on app endpoints.
- Strong at-rest encryption for managed stores; customer KMS respected where available.
- Key rotation per provider recommendations; strict IAM on key usage.
We avoid storing customer data whenever possible. ETL buffers are ephemeral and scoped to the job lifecycle.
Access & identity
- SSO/MFA enforced for console access; RBAC with least privilege.
- Break-glass access requires approvals and is fully audited.
- SCIM/automatic deprovisioning supported on eligible plans.
2FA
TLS
ISO 27001
SOC 2 II
Secure SDLC
- Code review & CI checks (linting, unit/integration tests, SCA).
- Secrets management, dependency pinning, image scanning.
- Change management with approvals; staged rollouts and canaries.
Monitoring & incident response
- Centralized logging, metrics, and traces for all services.
- 24/7 on-call rotation; automated alerting for anomalous events.
- Documented IR plan with communication runbooks and post-mortems.
See our status page for uptime and incident history.
Backups, DR & BCP
- Backups with tested restores; RTO/RPO objectives documented.
- Multi-AZ by default; region recovery procedures maintained.
- BCP reviews annually and after material changes.
Compliance & evidence
ISO 27001
ISO-certified infrastructure with documented ISMS practices.
- Public policies: Data Processing Agreement · Subprocessors
Resources & contacts
Audited by the best in business


