Security & Compliance

At Exact Match, security is foundational to everything we do. Our platform is built on a defense-in-depth architecture with multiple layers of protection for your data. We maintain rigorous security practices across our infrastructure, applications, and organizational processes to ensure the confidentiality, integrity, and availability of all data entrusted to us.

Exact Match has achieved SOC 2 Type II certification, demonstrating our commitment to the highest standards of security, availability, processing integrity, confidentiality, and privacy. Our SOC 2 audit is conducted annually by an independent third-party auditor, verifying that our controls operate effectively over time.

All data is protected with industry-leading encryption at every stage:

• In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3, the latest and most secure transport layer protocol
• At Rest: All stored data is encrypted using AES-256 encryption, the same standard used by financial institutions and government agencies
• Key Management: Encryption keys are managed through a dedicated key management service with automatic rotation and strict access controls

We are fully compliant with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Our platform includes built-in tools to support consumer rights requests, including the right to know, right to delete, and right to opt-out. For more details, see our CCPA Consumer Rights page.

All consumer data is processed in strict accordance with our Data Processing Agreement. We implement data minimization principles, ensuring only the data necessary for your specified purpose is collected and processed. Our processing infrastructure is isolated and segmented, with strict access controls and comprehensive audit logging for every data operation.

We implement robust access control mechanisms to protect your data:

• Role-Based Access Control (RBAC): Granular permissions ensure users can only access data and features relevant to their role
• Multi-Factor Authentication (MFA): Required for all administrative access and available for all user accounts
• Audit Logging: Comprehensive logging of all access events, configuration changes, and data operations, retained for a minimum of 12 months
• Least Privilege Principle: All internal access is granted on a need-to-know basis with regular access reviews

Our platform runs on enterprise-grade cloud infrastructure with built-in redundancy and high availability. We utilize multiple availability zones to ensure continuous uptime. Our infrastructure includes network segmentation, web application firewalls (WAF), DDoS protection, and intrusion detection systems. All servers are hardened according to CIS benchmarks and automatically patched for known vulnerabilities.

We conduct regular penetration testing through qualified third-party security firms to identify and remediate potential vulnerabilities. Testing is performed at least annually, with additional assessments following significant platform changes. Our bug bounty program encourages responsible disclosure from the security research community.

We maintain clear data retention policies aligned with legal requirements and business needs. Customer data is retained only as long as necessary to fulfill the purposes for which it was collected. Upon account termination or at your request, we securely delete your data within 30 days using industry-standard data destruction methods. Backup copies are purged according to our retention schedule, not exceeding 90 days after deletion request.

For security inquiries, vulnerability reports, or to learn more about our security practices, please reach out to our dedicated security team:

contact@exactmatch.io