Security & Trust
Last updated: June 25, 2026
Slate is built to keep your courses and account data private and secure. This page summarizes our security posture, our compliance status, the sub-processors we rely on, and how to report a vulnerability. For a deeper review, request our Security & Compliance Overview or a Data Processing Agreement at [email protected].
Compliance status
We aim to be precise about what we hold and what we do not.
| Standard | Status |
|---|---|
| GDPR | Compliant. We publish a Privacy Policy, offer a Data Processing Agreement, maintain the sub-processor list below, and provide self-service content export and account deletion. |
| SOC 2 Type II | Not held by Slate today. Slate runs on SOC 2 Type II certified infrastructure, and we can share each provider's report links. We intend to pursue our own attestation as we scale. |
| ISO 27001 | Not held by Slate today. Our core infrastructure providers are ISO 27001 certified, and we can evidence that. |
We do not claim our providers' certifications as our own. We give you a clear picture of certified infrastructure plus Slate's own controls, described below.
How we protect your data
- Encryption: TLS for data in transit, and encryption at rest for our database and file storage.
- Tenant isolation: every account's data is isolated using database row-level security, so only you can access your courses, media, and analytics. This is enforced at the database, not only in application code.
- Authenticated APIs: every private endpoint is authenticated, and privileged actions verify ownership before they run.
- Safe handling of course content: course HTML is sanitized, and any author-supplied code runs inside an isolated sandbox with no access to the page, your storage, or the network.
- Edge protection: a web application firewall with DDoS protection and bot mitigation sits in front of the platform.
- Secrets and monitoring: secrets are never stored in source code, and our error monitoring scrubs personal data before it is sent.
Sub-processors
Slate uses a small set of certified providers to deliver the Service. Each is bound by a data-protection agreement. You can obtain their audit reports and certificates from their trust centers.
| Provider | Role | Certifications | Trust center |
|---|---|---|---|
| Supabase | Database, authentication, file storage | SOC 2 Type II, ISO 27001 | supabase.com/security |
| Cloudflare | Hosting, CDN, WAF, DDoS protection | SOC 2 Type II, ISO 27001 | cloudflare.com/trust-hub |
| Stripe | Payment processing | SOC 2 Type II, ISO 27001, PCI DSS Level 1 | stripe.com/legal/dpa |
| Google Cloud | AI generation, translation, voice narration | SOC 2 Type II, ISO 27001 | cloud.google.com/security/compliance |
| Resend | Transactional email | SOC 2 Type II | resend.com/security |
| MailerLite | Product and marketing email | ISO 27001 | mailerlite.com |
| Sentry | Error monitoring | SOC 2 Type II, ISO 27001 | sentry.io/security |
Some providers are used only when you use the related feature: ElevenLabs (Pro voice narration), Anthropic (Slate MCP), the stock-image providers Pexels, Unsplash, and Pixabay (image search), and Canva (Slate for Canva). The full disclosure, including services used only on our marketing website, is in our Privacy Policy.
Data handling
- We do not sell your personal data.
- We do not use your course content to train AI models. Our AI features run on a paid tier under which the provider does not train on prompts or responses.
- Payment card data is handled by our PCI DSS Level 1 payment processor and is never stored on Slate's servers.
- Our primary data store is in the United States. An EU region is on our roadmap for customers with residency requirements.
- If you delete your account, we remove your personal data and content within 30 days, except where the law requires retention.
Reporting a vulnerability
If you believe you have found a security issue in any Slate product, please email [email protected] with the affected product or URL, steps to reproduce, and the impact. We aim to acknowledge good-faith reports that include a specific, reproducible finding within 48 hours, and we work toward coordinated disclosure. We read and act on every credible report. We run a responsible-disclosure program and do not operate a paid bug-bounty program at this time. Messages without a specific, reproducible finding may not receive a response.
Working with your security team
We are glad to support your vendor review. On request we can:
- Share our Security & Compliance Overview and the sub-processor matrix with direct report links.
- Provide and sign a Data Processing Agreement.
- Complete a security questionnaire.
- Walk your team through our architecture and controls on a call.
Contact [email protected].