Weld logo

SECURITY

Built & designed for data security and privacy

Last updated: Sep 5, 2025≈8 min read

Executive summary

Weld moves data securely between your systems and your warehouse with a defense-in-depth approach: strong encryption (in transit and at rest), least-privilege access, secure SDLC, rigorous monitoring, and audited controls. We minimize data handling, prefer ephemeral processing, and keep transparent evidence for your procurement teams.

End-to-end encryption
TLS 1.2+ in transit; strong at rest.
Least-privilege access
RBAC, SSO/MFA, audited elevation.
Secure SDLC
Reviews, SCA, scanning, staged deploys.
Transparency
Public policies, evidence on request.

Data flow & architecture

Weld extracts from approved sources, transports via secure channels, and loads into your destination (e.g., Snowflake, BigQuery, Databricks, Postgres). Processing is ephemeral, and customer data is not retained beyond what’s required to perform the sync.

Sources
Apps / DBs / Files
Weld (ETL)
Ephemeral processing
Destination
Warehouse / Lakehouse
  • EU hosting options; Frankfurt preferred for EU customers.
  • Private subnets for core services; public ingress via hardened gateways.
  • Secrets in managed KMS; zero secrets in code or repos.

Encryption

  • TLS 1.2+ for all connections; HSTS enforced on app endpoints.
  • Strong at-rest encryption for managed stores; customer KMS respected where available.
  • Key rotation per provider recommendations; strict IAM on key usage.
We avoid storing customer data whenever possible. ETL buffers are ephemeral and scoped to the job lifecycle.

Access & identity

  • SSO/MFA enforced for console access; RBAC with least privilege.
  • Break-glass access requires approvals and is fully audited.
  • SCIM/automatic deprovisioning supported on eligible plans.
2FA
2FA
TLS
TLS
ISO 27001
ISO 27001
SOC 2 II
SOC 2 II

Secure SDLC

  • Code review & CI checks (linting, unit/integration tests, SCA).
  • Secrets management, dependency pinning, image scanning.
  • Change management with approvals; staged rollouts and canaries.

Monitoring & incident response

  • Centralized logging, metrics, and traces for all services.
  • 24/7 on-call rotation; automated alerting for anomalous events.
  • Documented IR plan with communication runbooks and post-mortems.

See our status page for uptime and incident history.

Backups, DR & BCP

  • Backups with tested restores; RTO/RPO objectives documented.
  • Multi-AZ by default; region recovery procedures maintained.
  • BCP reviews annually and after material changes.

Compliance & evidence

SOC 2 Type II
SOC 2 Type II
Independent audit with continuous controls. Report available under NDA.
Request report
ISO 27001
ISO 27001
ISO-certified infrastructure with documented ISMS practices.

Resources & contacts

Data Processing AgreementSubprocessorsRequest SOC 2 reportVulnerability disclosure

Audited by the best in business

DeloitteSensibaEchelon