How we handle your data.
Sideb operates as a boutique studio with enterprise-grade vendor handling. By design, the heavy lifting on certification sits with our subprocessors — each one is independently audited to SOC 2 Type II or higher — and our internal practices map to the same controls. This page is the document your procurement team should ask for.
Encryption
All client data is encrypted in transit via TLS 1.2 or higher. All data at rest in MongoDB Atlas is encrypted with AES-256 using AWS-managed KMS keys.
Payment information never touches our servers — Stripe handles card data directly and returns only opaque session identifiers. We are not in the PCI scope.
Access controls
Sideb is a tightly-scoped studio. Engagement leads have access to client data only for engagements they're assigned to; no shared logins, no offshore subcontractors.
All vendor consoles (Stripe, MongoDB Atlas, Google Workspace) are MFA-enforced. Session tokens for client dashboards are HttpOnly, Secure, SameSite=None cookies with 7-day expiry.
Hosting & subprocessors
The app is hosted on the Emergent platform (SOC 2). The primary database is MongoDB Atlas. Authentication is brokered by Google OAuth. Payments by Stripe.
Updated: June 2026
NDAs & contracts
A mutual NDA is signed before any engagement begins. We're happy to sign yours, or we can send ours — both paths land at the same outcome.
Send your NDA or request ours via rev@sideb.io.
AI tooling & data handling
All AI tooling we use for synthesis, modeling, and diagnostics runs on enterprise tiers with contractual zero-training: client prompts and completions are never used to train third-party models, and never retained beyond the active session window.
Data retention & deletion
Engagement records (bookings, intake forms, quotes) are retained for 24 months by default for tax and accounting purposes, then purged.
Clients may request full deletion at engagement end via rev@sideb.io; we honor within 30 days where not blocked by legal hold.
Who touches your data.
We use a small, deliberate stack. Every subprocessor below is itself audited to SOC 2 Type II or higher.
| Vendor | Purpose & certification | Data region |
|---|---|---|
| Stripe ↗ | Payments processor (PCI DSS Level 1 + SOC 2 Type II) | USA / EEA |
| MongoDB Atlas ↗ | Primary application database (SOC 2 Type II, ISO 27001) | AWS us-east-1 |
| Google Workspace ↗ | Email & calendar (rev@sideb.io, swiles@sideb.io) — SOC 2 Type II | USA / EEA |
| Emergent Platform ↗ | Application hosting & Google OAuth broker (SOC 2) | Multi-region |
Let's get an NDA in place.
Send us your NDA and we'll counter-sign within one business day — or request ours and we'll have it back to you the same day.