How Salmon handles your data
TLS 1.3 in transit. AES-256 at rest. Per-workspace data isolation. Configurable retention windows from 7 to 90 days. This page answers the questions IT and security reviewers ask before approving procurement — including what we do not yet have (SOC 2 certification) and what we do have (documentation, audit logging, written incident response procedures).
What Salmon stores — and what it doesn't
Salmon caches company-level enrichment data (funding, headcount, tech stack) for your configured retention window. It does not store personal names, direct phone numbers, or individual-level contact PII — those pass through to your CRM but are not retained in Salmon's systems.
Transmission security
All data in transit between your CRM, Salmon's enrichment pipeline, and data sources is encrypted using TLS 1.3. Older TLS versions (1.0, 1.1) are disabled. Webhook endpoints enforce HTTPS; plain HTTP is rejected.
Storage encryption
Enrichment results stored in the cache are encrypted at rest using AES-256. Encryption keys are managed separately from stored data. Database infrastructure is not accessible from the public internet.
Configurable retention
Enrichment cache retention is configurable per plan: 7 days on Starter, 30 days on Growth, 90 days on Scale. Data is automatically purged at the end of the retention window. You can request immediate deletion at any time via the dashboard or by emailing [email protected].
Access controls
API key authentication with per-key scope control. Each Salmon workspace is isolated — enrichment data from one customer is never accessible to another. Least-privilege principle applied to all internal service accounts. Audit logging enabled by default on Scale plan.
Designed with SOC 2 controls in mind — not yet certified
We design Salmon with SOC 2 Type II controls in mind: audit logging is on by default on Scale plan, access controls follow least-privilege, and we maintain written incident response procedures. We are not currently SOC 2 certified — we are not claiming certification, and we will not misrepresent this in any security questionnaire. If SOC 2 Type II certification is a hard procurement gate, contact Kevin directly. He can provide current security documentation and discuss what a customized third-party security review would look like.
Security questionnaires welcome. Kevin reviews every security question from a procurement evaluator personally — email [email protected] with "Security Review" in the subject line.
Common security evaluation questions
Salmon stores the email domain used for enrichment lookups. Full contact PII (personal name, direct phone number) is not stored in Salmon's systems — these fields pass through the pipeline to your CRM but are not retained in the enrichment cache. Company-level enrichment data (funding, headcount, tech stack) is what we cache.
Salmon stores enrichment data on infrastructure hosted in the United States. We do not currently offer EU or other regional data residency options. If your organization has specific data residency requirements, contact Kevin to discuss.
Salmon uses sub-processors for infrastructure hosting, enrichment data sourcing, and email delivery. A current list of sub-processors is available by request — email [email protected]. We maintain data processing agreements with all sub-processors.
In the event of a security incident affecting customer data, Salmon will notify affected customers within 72 hours of discovery via the email address on the account. Our incident response procedure follows NIST SP 800-61 guidance. We maintain documented runbooks for common incident types.
We conduct automated vulnerability scanning on a regular basis and perform manual security reviews for significant changes to the enrichment pipeline. We do not currently publish third-party penetration test results, but this is on our roadmap as we grow. Contact Kevin if you have specific questions about our security testing cadence.
You can request deletion of your enrichment cache data at any time via the Salmon dashboard settings under "Data Management," or by emailing [email protected]. Deletion requests are processed within 72 hours. Account data is purged within 30 days of account closure.