Seguridad de datos y certificaciones

Security Architecture: SaaS vs. On-Premises Deployments

Match Data Pro offers both a cloud-based Software-as-a-Service (SaaS) and an on-premises deployment option. Our SaaS deployment runs on Google Cloud Platform (GCP), leveraging GCP’s robust infrastructure security and compliance certifications (including SOC 2 Type II) as a foundation. This means the physical data centers, network, and hardware are protected by Google’s controls and audits, and we inherit a strong base of security certifications just by hosting there. On top of GCP’s infrastructure safeguards, we implement additional application-level security controls (detailed below) to protect customer data and privacy.

In contrast, for On-Premises deployments, the customer hosts Match Data Pro in their own environment. This gives the customer full control over the underlying infrastructure, network, and physical security. On-Prem customers assume responsibility for infrastructure-level security, including data center controls and server hardening, within their own IT environment. Match Data Pro provides configuration guidance and the same in-app security features in on-prem deployments, ensuring that even in customer-controlled environments, the application itself includes our standard protections. In summary, cloud customers benefit from Google Cloud’s certified infrastructure plus our controls, while on-prem customers manage their own infrastructure but still get our built-in application security.

Infrastructure Security and Compliance (Google Cloud)

Google Cloud Platform’s security certifications and controls form the backbone of our SaaS offering. GCP undergoes independent audits for compliance with SOC 2 Type II, ISO 27001, and other standards, covering areas like physical security, network defense, and infrastructure reliability. Our SaaS servers are hosted in GCP’s U.S. data centers, which meet stringent industry standards and compliance requirements. By hosting on GCP, Match Data Pro inherits these infrastructure-level controls and certifications. For example, Google’s data centers have 24/7 security staff, biometric access controls, and robust environmental safeguards, all of which apply to our cloud environment by default. We leverage GCP’s built-in security features such as default encryption at rest and network protection to ensure a secure foundation.

It’s important to note that while we rely on GCP’s infrastructure compliance, Match Data Pro has not yet completed its own SOC 2 or ISO 27001 audit as a company. We adhere to many of the SOC 2 best practices and have implemented the controls described on this page, but we have not undergone a formal SOC 2 assessment for our internal processes. We believe in transparency about our compliance status – we are open to pursuing certifications like SOC 2 Type II or others in collaboration with enterprise clients who require them. In the meantime, we can provide detailed information about our controls to support your due diligence (and we can share Google Cloud’s SOC 2 report and security documentation upon request to demonstrate the infrastructure’s compliance).

Application-Level Security Controls

Above and beyond the cloud infrastructure, Match Data Pro has developed a comprehensive set of application-level security features. These controls apply equally to our SaaS and on-premises deployments (ensuring a consistent security baseline regardless of hosting model). Our application security measures cover data protection, access control, and monitoring as outlined below:

Data Protection (Encryption)

• Encryption in Transit: All data exchanged between user clients (web browsers, APIs) and the Match Data Pro service is encrypted using TLS 1.2+ This ensures that data is protected from eavesdropping during transmission over the Internet. We enforce modern cipher suites and HTTPS for all connections.
• Encryption at Rest: Customer data stored in the Match Data Pro SaaS environment is encrypted at rest using strong algorithms (AES-256 by default) through Google Cloud’s storage encryption mechanisms. This means that even if storage media were accessed without authorization, the data would be unintelligible without the proper decryption keys. On Google Cloud, all stored data is automatically encrypted using AES-256 by the platform. For on-prem deployments, we support and recommend that customers enable disk or database encryption (for example, using encrypted volumes) on their own infrastructure to similarly protect data at rest.
• Configurable Data Storage (On-Prem): In on-premises installations, organizations can choose how and where to store the application’s data. We provide guidance to ensure that on-prem data storage follows best practices (such as placing databases on encrypted drives and behind appropriate network safeguards). While the customer manages the infrastructure, Match Data Pro’s application will operate with the same encryption standards if integrated with the customer’s encryption tools or platforms.

Access Control and Authentication

• Role-Based Access Control (RBAC): Match Data Pro uses RBAC to enforce the principle of least privilege. Administrators can define roles and granular permissions at the team or project level, ensuring users only access data and functions necessary for their role. This granular permission model prevents unauthorized access within your organization – for example, project data can be restricted to only the assigned team members. All administrative actions (like granting or revoking access) are logged for accountability.
• Two-Factor Authentication (2FA): We support optional two-factor authentication for user logins as an added layer of security. When 2FA is enabled, users must provide a second form of verification (such as a one-time code sent via SMS or an authenticator app) in addition to their password. While 2FA is not mandatory for all users by default, we strongly recommend it for all accounts and can require it for administrative or high-privilege accounts. This aligns with industry best practices where multi-factor authentication is used to protect access to sensitive data. (Match Data Pro integrates with Twilio for SMS-based 2FA codes – see subprocessors.
• Password Policies: We enforce strict password complexity and rotation requirements to reduce the risk of compromised credentials. Passwords must meet minimum length and complexity criteria (including requiring a mix of uppercase, lowercase, numeric, and special characters) and they expire on a periodic schedule, requiring users to choose new passwords regularly. We also prevent reuse of recent passwords to discourage recycling of old credentials. These policies follow common security guidelines for strong authentication. (Note: We are aware of evolving best practices around password management and can adjust complexity/expiration rules to meet enterprise policy or comply with standards like NIST, which emphasize password strength and breach detection over frequent changes.)
• Account Lockout & IP Blacklisting: To thwart brute-force attacks, Match Data Pro will automatically lock out an account after a series of consecutive failed login attempts. This helps prevent attackers from guessing passwords by trial and error. After a configurable number of failures, the account is temporarily suspended from logging in, and an alert can be sent to an admin. Additionally, excessive login failures from a single IP address will trigger an IP block (blacklisting) by the system. This means the suspicious IP is prevented from accessing the service for a period of time, adding another layer of defense against automated attacks. (At this time we support IP blacklisting for malicious actors; an IP allowlisting feature – limiting access only to pre-approved IP ranges – is not yet built into the product.) Administrators can also manually block known-bad IP addresses through the admin console.
• Administrative Access Controls: Administrative functions in the application (such as managing users, roles, system settings, and data imports/exports) are restricted to authorized admin users. Admin accounts can be further protected with the controls above (strong passwords, 2FA, etc.). For the On-Prem version, we can also support integration with customer identity providers for single sign-on (SSO) if enterprise clients prefer to manage user identities through SAML/OIDC; in such cases, our RBAC still applies after the SSO authentication.

Monitoring and Auditing

• Audit Logging: Match Data Pro maintains detailed audit logs of key events and actions in the system. This includes login attempts (successful and failed), user management actions, data import and export events, and administrative configuration changes. All user activity and administrative actions are recorded in audit logs for traceability. These logs enable organizations to retrospectively review “who did what and when” within the application, which is crucial for forensic analysis and compliance. Audit logs are stored securely and can be made available to the customer upon request for their own monitoring or audits.
• Anomaly Detection & Alerts: The platform has basic built-in anomaly detection for security-related events. For example, the system automatically flags repeated failed login attempts or other suspicious behavior (such as unusual activity patterns) for review. If multiple failed logins or other indicators of a brute-force attack occur, Match Data Pro will raise alerts and can notify administrators of the potential threat. Our platform is monitored for unauthorized access attempts or anomalous usage patterns by GCP that could indicate an attack. While these detections are rule-based today (focused on obvious signs like brute force attacks), we plan to continuously improve and possibly incorporate more advanced anomaly detection techniques. Administrators can review the flagged events in the audit logs and we encourage customers to integrate these logs with their Security Incident and Event Management (SIEM) tools for continuous monitoring.
• Session Management: All user sessions are encrypted and tied to secure tokens. Idle sessions time out after a period of inactivity to reduce the risk of an unattended session being misused. Users are automatically logged out when their session expires, and must re-authenticate to continue. We also invalidate all active sessions upon a password change or account lockout to prevent old sessions from persisting after credentials are updated. By default, users are limited to only 1 simultaneous session or tab.  This prevents any unauthorized activity from duplicating a session.

Penetration Testing and Vulnerability Scanning

We conduct regular internal reviews of our code and apply security patches to our software dependencies; however, Match Data Pro has not yet engaged independent third-party penetration testing or periodic vulnerability scanning of our production environment. We want to be transparent that, as of today, we do not have formal external pen test reports or automated vulnerability scan reports to provide. That said, we operate under a philosophy of continuous improvement and welcome collaboration with clients on this front. For enterprise customers, we are open to undergoing third-party security assessments, vulnerability scans, or customer-arranged penetration tests as part of due diligence. If your security team requires an independent evaluation, we will work with you to facilitate a review (for example, allowing read-only test accounts or staging environment access for testers at your direction). Our goal is to earn your trust, and we are receptive to any reasonable testing or audit requests to validate our security posture.

Incident Response Preparedness

Match Data Pro maintains a fully documented, formal Incident Response Plan (IRP) aligned with the NIST SP 800‑61 Rev. 2 framework. This plan defines clear phases — identification, containment, eradication, recovery, and post‑incident analysis — with assigned roles, escalation paths, and communication protocols. In the event of a security incident or data breach, our team follows predefined procedures for detection, assessment, containment, and customer notification, ensuring rapid mitigation and transparency. The IRP includes severity classification guidelines, evidence‑handling standards, and regulatory reporting timelines (e.g., GDPR 72‑hour rule). For enterprise engagements, Match Data Pro can collaborate with customer security teams to tailor incident communication flows and joint playbooks that align with client‑specific compliance frameworks. Regular tabletop exercises, forensic logging, and post‑incident reviews ensure continuous improvement and readiness. Our approach prioritizes speed, accountability, and coordination to minimize impact and maintain trust in every customer environment — both SaaS and On‑Prem.

Third-Party Subprocessors and Integrations

For transparency, below is a list of all third-party subprocessors and services that may handle customer data as part of Match Data Pro’s operation. We disclose these subprocessors for your due diligence:

• Google Cloud Platform (GCP) – Infrastructure hosting provider for our SaaS. All SaaS customer data and servers reside on GCP in the United States. GCP provides the underlying compute, storage, and networking, and by using GCP we inherit their strong security controls and compliance (SOC 2, ISO 27001, etc.) at the infrastructure level. Customer data stored on GCP is protected by Google’s security measures (including encryption at rest and physical security at data centers).
• OpenAI – Optional AI-powered matching validation service (disabled by default). Match Data Pro includes an optional feature that can use OpenAI’s API to assist with data matching validation. This integration is turned off by default – no data is sent to OpenAI unless a customer explicitly enables the AI matching feature. If enabled, only the minimal necessary data is sent to OpenAI’s secure API, and the data is processed for the sole purpose of returning the matching validations. OpenAI is considered a subprocessor in this scenario, and we ensure that data sent to OpenAI is not stored beyond the processing request (per OpenAI’s policies). Clients who do not enable this feature will have no data shared with OpenAI.
• Cloud Storage Integrations (Google Drive, Dropbox, Microsoft OneDrive/SharePoint) – User-initiated import/export integrations. Match Data Pro can integrate with popular cloud storage services to import or export data (for example, importing a CSV from Google Drive, or exporting match results to a customer’s OneDrive folder). These integrations are activated only when a user initiates a data transfer to or from those services. In such cases, the data that the user selects (e.g., a file to import or export) will flow between Match Data Pro and the third-party service via their APIs. We do not store third-party credentials except OAuth tokens when necessary (encrypted at rest), and all transfers use secure API connections. Each of these services (Google Drive, Dropbox, Microsoft’s SharePoint/OneDrive) operates under their own robust security and compliance programs; however, when data leaves Match Data Pro to these services, it becomes subject to the third party’s security controls as well. We provide these connectors for convenience, and customers can restrict or disable them if desired.
• Twilio – Two-Factor Authentication (2FA) SMS delivery. If you enable SMS-based two-factor authentication for user logins, we use Twilio (a trusted communications platform) to send the one-time verification codes via text message to users’ phones. For Saas, this is enabled by default.  Twilio acts as a subprocessor that handles the phone number and the 2FA code content for SMS delivery. We do not send any other customer data through Twilio beyond the 2FA SMS messages. Twilio is a reputable service used by many enterprises for secure communications and is certified under industry standards (such as ISO 27001 and SOC 2) for its operations, ensuring that the 2FA messages are delivered securely.
• Customer-Provided Email (SMTP) Servers – Email delivery via client’s own SMTP for On-Prem. For Saas, Match Data Pro uses Mailjet relay for email notifications. For certain notifications or reports, the On-Prem version of Match Data Pro can be configured to use a customer’s own email server or SMTP service to send emails (for example, sending user invites or password reset emails from your company’s mail server). In these cases, the email content (which may include limited user data like names or email addresses) is transmitted to the SMTP server specified by the customer. That server then delivers the email to recipients. We offer this option so that customers have control over email flow with this on-prem version and can have emails appear to come from their own domain. If not configured, Match Data Pro can use its default email service, but by default we encourage enterprise customers to route emails through their controlled infrastructure. Either way, the email content is minimal and can be reviewed, and no sensitive data is sent via email by the system unless explicitly configured by the user (for instance, if a user exports data via emailed report, which would be initiated and approved by them).

We commit to updating this subprocessor list if we add or change any third-party integrations that handle customer data. We can also provide security documentation for these subprocessors (e.g. Twilio’s security overview, OpenAI’s data usage policies) upon request if needed for your vendor risk assessments.

Data Residency and Hosting Options

All Match Data Pro SaaS data is hosted in the United States by default (in Google Cloud’s U.S. data centers). By default, client data and backups reside in the U.S. region to align with our primary customer base and ensure optimal performance. For most customers, this means data will be stored in and not leave the U.S. However, we understand that some enterprises have specific data residency requirements. We offer regional hosting options for enterprise clients on request. If you require that your data be stored in a particular geographic region (for example, in the European Union or Asia-Pacific), we can discuss a dedicated instance of Match Data Pro in a GCP region of your choice. GCP has a global infrastructure, and we can deploy our application to any of their regional data centers as needed to meet data locality needs. By leveraging GCP’s regional services, we can keep all application data within the requested jurisdiction.

In on-premises deployments, data residency is entirely controlled by the customer. Since the application is installed in your environment, you decide where data is stored and processed – whether on servers in your own data center or in a cloud environment of your choosing. Match Data Pro does not transmit on-premises data back to our servers (unless you choose hybrid connectivity for support or updates, which would be discussed separately). This means on-prem customers can ensure data never leaves their own country or network, if that is a requirement. We simply provide the software and support; you handle the infrastructure and locality.

In all cases, we follow applicable data protection laws and will sign Data Processing Agreements (DPAs) to contractually commit to our data handling practices. If an enterprise customer needs assurances about data residency or segregation (such as a separate database or encryption keys), we are open to accommodating those needs through custom deployments or configurations.

(For reference, many cloud compliance standards allow data to be stored in the U.S. by default. By offering optional EU or other regional hosting, we aim to be flexible for GDPR or other locality mandates.)

Security Documentation and Transparency

We understand that enterprise security and procurement teams often require detailed documentation as part of vendor due diligence. Match Data Pro is committed to transparency in our security practices. We have comprehensive internal documentation and can provide or sign the following upon request:

• Audit Logs and Reports: We can provide reports regarding your organization’s audit logs or provide extracts of log data to verify user activities within your instance. If you want to review how data has been accessed or modified, we will assist in furnishing those details. Match Data Pro is currently creating an in-tool audit log and activity report accessible by administration.
• Security Architecture Overview: We can provide diagrams or documentation explaining the architecture of our solution (showing data flows, component separation, and how our cloud environment is structured on GCP). This can include an outline of our network segregation, use of firewalls, encryption key management, and how the on-prem architecture should be set up for security.
• Policies and Procedures: Upon request, we can share our internal security policies (such as access control policy, password policy, incident response draft, etc.) for your review, under NDA. Although we are a smaller company without extensive formal certifications, we do have documented procedures for sensitive operations (e.g., how we handle employee access to production, how we apply software updates, backup schedules, etc.).
• Compliance Documentation: While we have not completed our own SOC 2 audit, we can provide a mapping of our controls to SOC 2 Trust Service Criteria to show how we address security, availability, and confidentiality requirements. We also can share the underlying Google Cloud compliance certificates (SOC 2 reports, ISO certificates) to demonstrate the environment our SaaS runs on. For on-prem deployments, we can assist in answering questionnaires about how the software works to help you maintain your own compliance.
• Penetration Test Results: If we or a client conducts any penetration test or security assessment of Match Data Pro, we are willing to share the high-level findings or certify that critical issues have been resolved. At present, since formal tests have not been done, this is more of a future commitment – but we will be transparent with any identified vulnerabilities and remediation steps should that situation arise.

Our philosophy is to be a security partner to our clients. We aim to give you as much visibility as you need to trust our platform. If you have a security questionnaire or need a custom evaluation, our team will work closely with you to provide thorough and honest answers. We encourage prospective customers to discuss any security concern with us; we will not exaggerate our capabilities or certifications. Instead, we will give a clear account of how we secure data today and what measures are in place, and we’ll collaborate on any enhancements needed for your comfort.

In summary, Match Data Pro takes security seriously by combining the proven infrastructure security of Google Cloud with our own robust application-level controls. We are confident in our platform’s protections such as encryption, access control, and auditing, and remain transparent about areas we are still improving (like formal certifications and testing). Our goal is to meet the security and compliance expectations of even the most demanding enterprise teams by being open, responsive, and proactive in our approach to protecting your data.