Security you can audit.
One identity model, one audit log, one set of controls across every service. Compliance is enforced at the data-adapter boundary — not hidden in the UI.
SOC 2 Type II
Independently audited security, availability, and confidentiality controls.
ISO 27001
Certified information-security management system.
HIPAA-ready
BAA-eligible configurations for protected health information.
GDPR
DPA, SCCs for transfers, and data-subject request handling.
PCI DSS
Card data handled by Stripe (PCI Level 1); Segal never stores PANs.
Audit logging
Every privileged mutation recorded — who, what, when, before/after.
Every resource carries its region. Choose where data lives; filter by residency in the console. Region certifications:
| Region | Location | Tier | Certifications |
|---|---|---|---|
| us-west-1 | Reno, United States | Tier IV | SOC 2 Type II · ISO 27001 · HIPAA |
| us-east-1 | Ashburn, United States | Tier IV | SOC 2 Type II · ISO 27001 · HIPAA · PCI DSS |
| eu-central-1 | Frankfurt, Germany | Tier IV | SOC 2 Type II · ISO 27001 · GDPR · EN 50600 |
| apac-sg-1 | Singapore, Singapore | Tier III | SOC 2 Type II · ISO 27001 · MTCS Tier 3 |
| me-uae-1 | Abu Dhabi, United Arab Emirates | Tier IV | ISO 27001 · ISO 22301 |
| ap-ph-1 | Manila, Philippines | Tier III | ISO 27001 |
GPU compute and certain network control surfaces are subject to U.S. export controls (EAR; some items ITAR-adjacent). Access to export-controlled regions and VPN exit nodes is gated on eligibility screening, enforced server-side at the adapter boundary.
We do not provide access to denied parties or embargoed destinations. Blocked actions return a clear, typed restriction — not a silent failure.
Representative list — the maintained register is available on request.
| Stripe | Payments + PCI | Global |
| Neon | Managed Postgres | Multi-region |
| Resend | Transactional email | Global |
Build on a platform you can audit.
Region-pinned data, scoped access, and a single audited control plane across every service.