Skip to main content

Legal

Security

How Locaition Matters protects customer data, the controls we operate, and how to report a security issue.

Last updated May 6, 2026 · Effective May 6, 2026

Curated is built for enterprise GIS teams, and the geospatial data our customers entrust to us — parcels, customer records, store-level analytics, sensitive sites — demands a serious security posture. This page describes the controls we operate today and the practices we follow.

This document is descriptive, not contractual. For binding commitments, refer to your Master Services Agreement, Data Processing Agreement, and any executed security addenda.

Compliance posture

Curated is currently building toward formal third-party attestations. Where we are today:

  • SOC 2 Type II — in progress; targeted attestation 2026. Bridge letters and gap assessments available to enterprise prospects under NDA.
  • GDPR — Standard Contractual Clauses available for EEA / UK / Swiss customer transfers.
  • CCPA / CPRA — we honor California resident rights as described in our Privacy Policy.
  • HIPAA — not in scope; Curated should not be used to process Protected Health Information.

Data protection

Encryption in transit. All connections to Curated use TLS 1.2 or higher. HSTS is enforced on all customer-facing domains.

Encryption at rest. Customer data is encrypted at rest using AES-256 or equivalent on all storage tiers.

Tenant isolation. Customer data is logically isolated by tenant. Cross-tenant access is prevented at the application and infrastructure layer.

Key management. Encryption keys are managed by our cloud provider's key management service with automatic rotation. Customer-managed keys (BYOK) are available on enterprise plans on request.

Data residency. Production data is currently hosted in the United States. EU-resident data hosting is available on enterprise plans on request.

Access controls

  • Multi-factor authentication (MFA) is required for all Curated employees with access to production systems.
  • Single sign-on (SSO) via SAML and OIDC is available to customers on enterprise plans. Common IdPs (Okta, Microsoft Entra ID, Google Workspace) are supported.
  • Role-based access control (RBAC) scopes user permissions inside the product. Workspace admins manage roles for their teams.
  • Least privilege. Internal access to customer data is gated by role and audited. Employees cannot view customer content except where a documented support request authorizes it.
  • Session security. Sessions expire after a configurable inactivity period and on logout. Active sessions can be revoked by workspace admins.

Infrastructure security

  • Cloud providers. Curated runs on enterprise-grade cloud infrastructure (AWS, Cloudflare, Sanity). All providers are SOC 2 / ISO 27001 attested.
  • Network isolation. Production workloads run in private networks with no direct internet exposure beyond the public application layer. Internal services communicate over private links.
  • Secrets management. API keys, tokens, and credentials are stored in a managed secrets vault, never in source control.
  • Patching. Operating system and dependency patches are applied on a continuous basis. Critical CVEs are remediated within 7 days; high severity within 30.

Application security

  • Code review. All production code changes require peer review and pass automated static analysis before merge.
  • Dependency scanning. Third-party packages are scanned continuously for known vulnerabilities (npm audit, Dependabot, Snyk equivalents).
  • Authentication. Sessions use short-lived signed tokens. Password storage uses Argon2 / bcrypt with per-record salts.
  • Input validation. All user input is validated server-side. Parameterized queries are used throughout; no string-concatenated SQL.
  • Penetration testing. Annual third-party penetration tests against the production environment. Executive summaries available to enterprise prospects under NDA.

AI and customer data

Curated uses generative AI to translate natural-language questions into geospatial answers. The data handling rules are explicit:

  • No training on customer data. We do not use customer-provided files, queries, or outputs to train foundational AI models. Customer data is processed only to deliver the result you asked for.
  • Provider data-processing terms. When customer data is processed by third-party AI providers (e.g. Google, Anthropic, OpenAI), we operate under their enterprise data-processing agreements that prohibit training on customer content.
  • Audit trail. Significant actions inside Curated (prompts, exports, sharing changes) are logged and available to workspace admins.

Incident response

We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. In the event of a security incident affecting customer data, we will:

  1. Notify affected customers in accordance with applicable law and contractual terms (typically within 72 hours of confirmation).
  2. Provide a written incident summary describing what happened, what we did, and what changes we're making.
  3. Cooperate with customer-side investigation and remediation requests.

Sub-processors

We use a small number of vendors to operate Curated. The current list is available on request and is updated when sub-processors change. Notice of new sub-processors is provided to enterprise customers as required by the DPA.

Representative current sub-processors include cloud hosting (AWS, Cloudflare), CMS (Sanity), email delivery (Resend), product analytics (privacy-preserving providers), AI inference (Google Cloud, Anthropic), and GIS partner (Esri).

Customer responsibilities

Security is a shared responsibility. Customers are responsible for:

  • Configuring SSO, MFA enforcement, and access policies appropriate to their organization.
  • Managing their own user lifecycle (provisioning, deprovisioning, role assignment).
  • Reviewing and approving Curated workspace integrations.
  • Classifying and not uploading data they are not authorized to process (e.g. PHI, payment card data, classified information).

Reporting a vulnerability

If you believe you've found a security issue in Curated, please report it to security@locaitionmatters.com. We acknowledge reports within 2 business days and work in good faith with researchers acting in good faith.

Please do not perform automated testing against our production systems without prior written authorization. We will not pursue legal action against researchers who:

  • Avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • Only interact with accounts they own or with explicit permission from the account holder.
  • Provide us a reasonable window to remediate before public disclosure.

Questions

For security questionnaires, customer-side audits, sub-processor lists, or to request our latest SOC 2 / penetration test executive summary under NDA, contact security@locaitionmatters.com.

For other inquiries, contact info@locaitionmatters.com or +1 (803) 814-6288.