Security at Manifestly

Run regulated work
on software built for it.

Operating since 2014, Manifestly is SOC 2 Type II compliant, and trusted by thousands of users in financial services, legal, operations, and IT teams across 20+ countries.

Visit Trust Center Request SOC 2 Report Talk to Sales
SOC 2 TYPE II
2014
Operating since
25+ countries
Customers in
SOC 2 Type II
Compliance
Independent
Penetration tests
01 · Compliance & Certifications

Independently audited. Continuously.

Annual third-party audit against the AICPA Trust Services Criteria, plus GDPR and CCPA processing standards.

SOC 2 Type II

Manifestly is audited annually by an independent third party against the AICPA Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Last audit
March 11, 2026
Auditor
INTERCERT CPA LLC
Report
Available by request in the Trust Center

GDPR & CCPA

Manifestly processes customer data in accordance with the EU General Data Protection Regulation and the California Consumer Privacy Act.

A Data Processing Addendum is available on request to any customer subject to these regulations.

Request DPA
02 · Data Security

Encrypted in transit, encrypted at rest, backed up by default.

Modern cryptography for everything that moves and everything that's stored. Backups, residency, and recovery are documented in the Trust Center.

Encryption in transit

All data between customer devices and Manifestly is encrypted using TLS 1.2 or higher.

Older protocols and weak cipher suites are disabled.

Encryption at rest

Workflow content, attachments, and audit logs are encrypted at rest using AES-256.

No customer data is stored on disk in plaintext.

Backups & recovery

Heroku Postgres (Premium) with point-in-time recovery, plus scheduled encrypted backups to Amazon S3.

Daily 7 days
Weekly 8 weeks
Monthly 12 months
All backups stored in the United States.
Consistent with our data residency posture.
Disaster recovery procedures
03 · Access Control & Authentication

Single sign-on, role-based control, and a complete audit trail.

Control who can do what — and keep an exportable record of who did what, when.

SAML Single Sign-On

Available on enterprise plans. SAML 2.0 works with any compliant identity provider.

Okta Microsoft Entra ID Google Workspace OneLogin Any SAML 2.0 IdP

Role-Based Access Control

Granular permissions by department, role, and workflow. Administrators control who can:

  • Author and edit SOPs
  • Run workflows and assign tasks
  • View completion history and audit logs
  • Export data
  • Manage users and integrations

Audit logs

Every action logged with the acting user and timestamp. Retained for the life of the account, exportable for compliance review.

  • Workflow creation, edits, and version changes
  • Workflow runs, step completions, and skips
  • Data field changes
  • User and permission changes
  • Data exports
  • Integration and API activity
04 · Application Security

Security work, every commit and every release.

Code review, static analysis, dependency scanning, and an annual third-party penetration test.

Secure development lifecycle

  • Code review required for every production change
  • Static analysis (SAST) runs on every build
  • Dependency scanning for known vulnerabilities
  • Pre-production isolated from production data

Vulnerability management

Continuous monitoring of third-party dependencies. Patch SLAs:

Critical Within 24 hours
High Within 7 days

Penetration testing

Annual third-party penetration tests covering the application and supporting infrastructure.

Summary report (under NDA)

Responsible disclosure

Found something? Report it to security@manifest.ly. We acknowledge reports within 2 business days.

Policy details

05 · Infrastructure Security

Built on Heroku, on AWS. Inheriting their controls.

Manifestly inherits the physical security, environmental controls, and certifications of Heroku and AWS — SOC 2, ISO 27001, PCI DSS.

Cloud hosting

Manifestly runs on Heroku, which operates on Amazon Web Services.

Network security

  • TLS-terminated load balancers
  • Internal services on Heroku private network
  • Databases not publicly exposed
Inherited certifications SOC 2 ISO 27001 PCI DSS

Data residency

Customer data is hosted in the United States.

Backups, primary storage, and processing — all US-resident.
06 · AI & MCP Security

Built on our security model. Not bolted onto it.

Manifestly's MCP server lets AI agents — Claude, ChatGPT, Microsoft Copilot, Gemini Enterprise — work with your workflows, SOPs, and assignments. Same permissions. Same audit trail.

Claude ChatGPT Microsoft Copilot Gemini

AI inherits user permissions

Connected agents can only perform actions the authorizing user is authorized to perform. No elevated privileges, no service accounts with broader access, no shadow paths around RBAC.

AI actions appear in the audit log

Actions performed by AI agents are recorded under the user who authorized the connection and flagged as AI-initiated.

Explicit, revocable connections

Users connect AI agents through an authenticated flow. Connections can be revoked at any time by the user or by an administrator.

Administrative controls

Enterprise administrators can disable AI features entirely for their organization.

07 · Privacy & Data Handling

Your data. Processed only to provide the service.

Clear ownership, a standard DPA, a maintained subprocessor list, and a published retention schedule.

Data ownership

Customer data belongs to the customer. Manifestly processes it solely to provide the service and as directed by the customer.

Data Processing Addendum

Standard DPA covers GDPR, UK GDPR, and CCPA.

privacy@manifest.ly

Subprocessors

Current list maintained in the Trust Center. Advance notice of additions per DPA terms.

View list

Deletion requests

Specific records or full account deletion at any time. Verified requests honored within statutory timeframes.

Data retention timeline
1
Active account
Retained for the duration of the subscription.
2
After termination · 6 months
Available for export. Customer can request earlier deletion.
3
After 6-month window
Permanently deleted from production systems and backups.
08 · Operational Security

The boring habits that keep the doors locked.

Tight access, vetted staff, recurring training, and a defined response plan when something goes wrong.

Employee access

Production access to customer data is restricted to Manifestly's co-founders. Access requires MFA.

Background checks

All employees with access to customer data complete background checks prior to employment, where permitted by local law.

Security training

All employees complete training on hire and at least annually. Engineering staff receive additional secure-coding training.

Vendor management

Third parties with access to customer data are reviewed before engagement and reassessed annually.

Incident response

Documented incident response plan. Affected customers are notified within 48 hours of confirmation.

09 · Responsible Disclosure

Found a vulnerability? Tell us.

We work with researchers in good faith and credit them on request.

security@manifest.ly
We commit to
  • Acknowledging your report within 2 business days
  • Investigating in good faith with reasonable status updates
  • Not pursuing legal action against researchers acting in good faith
  • Crediting researchers (with permission) once issues are resolved
Trust Center

Everything procurement, security, and compliance teams ask for — in one place.

Pull the latest report, monitoring posture, and subprocessor list from our Trust Center — no NDA round trip required.

Visit Trust Center manifestly.trust.site
Available inside
SOC 2 Type II report (under NDA)
Current subprocessor list
Penetration test summary
Disaster recovery procedures
Incident response plan
DPA template
Vulnerability disclosure policy
Contact

Talk to the right team.

Security questions / vulnerability reports
security@manifest.ly
Privacy and DPA requests
privacy@manifest.ly
Procurement and contracting
sales@manifest.ly
General support
support@manifest.ly