Skip to main content
Sable

Trust & security

Built for the security and compliance bar your customers expect.

SOC 2 Type II (in progress). ISO 27001 (in progress). GDPR compliant. Peppol Access Point certified. Full security posture documented below.

Request documentsRequest Demo

Certifications

Where we are, transparently.

SOC 2 Type II

In progress

Audit underway. Auditor: Big 4 firm. Scope: full platform.

ISO 27001

In progress

Certification underway. Scope: information security management system.

GDPR

Compliant

Data Protection Officer appointed. Privacy notice at /privacy.

Peppol Access Point

In progress

OpenPeppol authority. ANZ (PINT A-NZ), EU (BIS 3.0), Singapore, Malaysia.

HIPAA-Ready

Compliant

Architecture compliant for US healthcare customers. BAA available on request.

Data residency

Your data, in your region.

ANZ customers

Data stored in AWS Sydney and Auckland regions.

EU customers

Data stored in AWS Frankfurt and Dublin regions.

UK customers

Data stored in AWS London region.

US customers

Data stored in AWS Virginia and Oregon regions.

Singapore and Malaysia customers

Data stored in AWS Singapore region.

No cross-region data transfer occurs without explicit customer opt-in. Backups stay within the same region as primary data. Disaster recovery is region-paired (Sydney↔Melbourne, Frankfurt↔Dublin, etc.).

Infrastructure

How the platform is built.

Hosting and infrastructure

AWS multi-AZ across designated regions.

Encryption

AES-256 at rest, TLS 1.3 in transit, key management via AWS KMS with customer-managed keys available on Scale tier.

Authentication

SSO via SAML 2.0 and OIDC, MFA enforced for all admin accounts.

Authorisation

Role-based access control, audit logging on all administrative actions.

Backups

Encrypted snapshots, 30-day retention, point-in-time recovery to 5 minutes.

Security program

Continuous, documented controls.

Application security

SAST and DAST scanning on every deployment, third-party penetration testing annually, dependency vulnerability scanning continuous.

Infrastructure security

AWS Security Hub monitoring, GuardDuty threat detection, CloudTrail audit logging, AWS WAF and Shield for DDoS protection.

Operational security

SOC 2 Type II controls (in progress), incident response within 4 hours for P1, security awareness training for all team members quarterly.

Vendor management

All sub-processors vetted and documented in /privacy/sub-processors.

Privacy

Personal data handling.

Sable handles personal data in compliance with GDPR, UK GDPR, the Australian Privacy Act 1988, the New Zealand Privacy Act 2020, CCPA, and Singapore PDPA. Data Processing Agreements available for enterprise customers. Sub-processor list maintained at /privacy/sub-processors with 30-day notice for any new sub-processors.

Vulnerability disclosure

Responsible disclosure process.

If you've found a security issue, email christian@getsable.io with a description and steps to reproduce.

  • Acknowledgment within 24 hours
  • Initial assessment within 72 hours
  • Resolution timeline communicated based on severity
  • Credit for valid findings (or anonymity if preferred)

Compliance documents

Request the document you need.

We'll respond within one business day with the requested documents under NDA where applicable.

Documents requested

Stop building integrations. Start trading.

See how Sable cuts your trading partner onboarding from months to days.

Request DemoRequest Pricing