Security & Data Protection

Your information is secure with Index.

Index Logo

The security of your data is our #1 priority.

Security, reliability, privacy, and compliance are at the heart of everything we do at Index. Safeguarding your information isn't just a part of our daily routine; every facet of our engineering and operations have been vetted to ensure the protection of your data.

We utilize industry-standard cloud infrastructure vendors to provide the Index service, and also implement additional processes and controls. Our posture is informed by industry experts, and we also bring deep expertise in operating secure software from our time at some of the world's best and most advanced software companies.

Backups occur on a daily basis to a separate region, are persisted, and regularly tested for recovery. All data is encrypted with industry-standard encryption at rest (AES-256) and in transit (HTTPS/TLS). We also conduct static code analysis, external penetration tests, third-party vulnerability scanning and audits, and also implement many other industry-standard Cloud security techniques.

Explore our Security & Data Protection Center, where you'll find detailed information on our controls along with supporting documentation. If you have any questions, please don't hesitate to contact us at

Significant investment in our security roadmap

In addition to the robust controls already in place, we have an extensive security and privacy roadmap that we're actively pursuing, with features that will be offered to all new and existing customers:

  • SOC 2 Type I: In progress
  • Audit logs: Upcoming
  • Data residency: Upcoming

Frequently asked questions

What data does Index store?

When provisioning a user account, we store your full name, email address, and (optionally) a profile photo.

While using Index, users can import and directly enter text data. To best understand the data that your organization expects to store in Index, we recommend talking to the individuals who will be entering data into our system. Most individuals will use Index to store work planning data such as information about projects, goals, objectives, and teams.

Where does Index store data?

We store data in Amazon Web Services (AWS) data centers in the United States. Your data will be stored in us-west-2 (Oregon) with database replication to us-west-1 (N. California) for backups.

Is Index SOC 2 compliant?

We're actively pursuing SOC 2 Type I certification with the vast majority of necessary controls already in place. We expect to complete our audit and receive certification by the middle of this year (2024).

Do you fill out security assessments?

Yes. We are happy to fill out security assessments on request – please contact us.

Is external penetration testing performed, and has the platform been reviewed by an independent third-party?

Yes to both. Our external penetration tests are performed at least annually, with the most recent test and comprehensive review completed on the 7th of May 2024. All findings were remediated.

Is your data encrypted?

Yes, Index provides industry-standard encryption at rest (AES-256) and in transit (HTTPS/TLS).

Do you provide SAML, Single Sign-On (SSO), or advanced authentication controls?

Yes. We provide SSO on our Enterprise plan, compatible with most IdPs with support for both SAML and OIDC protocols. Please contact us with your specific requirements for more information.

Do you have a list of subprocessors?

Yes, an updated list of data subprocessors is available by request. Contact us at and we'll be happy to help.

How can I report security issues and vulnerabilities?

Index takes security issues and vulnerabilities very seriously. If you believe you have found a security issue, please contact us at and we'll review it as soon as possible.

Does Index have a bug bounty / responsible disclosure program?

Yes. Index has a private Bug Bounty program that rewards researchers for finding and reporting security vulnerabilities. For more information, or to report a vulnerability, please visit our Responsible Disclosure page or reach out to us at

How can I access, transfer, or delete my data?

Contact us at and we'll be happy to help.