Trust & security

Your records, protected like the season depends on them.

Idunn holds the operational memory of your farm — spray records, compliance, payroll, and maps. We treat protecting it as part of the job, built in from the database up, not bolted on.

The short version

Security-first, and honest about where we are

Idunn is built on infrastructure that is independently audited to SOC 2 Type II for security, availability, and confidentiality — the hosting, database, payments, and AI processing behind the product all carry current, third-party attestations. On top of that foundation we add our own controls: strict organization-level isolation, least-privilege access, encryption, and continuous monitoring.

“We’d rather tell you exactly what protects your data than wave a badge at you.”

To be straight with you: the platforms Idunn runs on hold their own SOC 2 Type II reports, and we can share those on request. Idunn AI is a young company continuing to invest in formal, independent certification of its own controls. In the meantime, everything below is real, in place today, and a complete security-documentation package is available to prospective and current customers under NDA.

SOC 2 Type II infrastructureISO 27001 providersPCI DSS Level 1 paymentsEncrypted in transit & at rest

How we protect data

The controls behind every record

Your data stays yours

Every record is isolated to your organization and that boundary is enforced at the database layer — not just in the app. One farm can never see another's spray logs, payroll, or maps.

Least-privilege access

Access follows the person's role. Owners, managers, and workers each see only what their job needs, and sensitive actions are gated top to bottom rather than trusted to the screen alone.

Encrypted in transit and at rest

Traffic is served over strong TLS with strict transport security, and records are encrypted where they're stored. On phones, cached field data is encrypted on the device.

Verified sign-in

Accounts sign in with email verification and a second factor, so a leaked password alone can't open the door. Sessions are short-lived and refreshed safely.

Hardened by default

Security headers, framing and content protections, rate limiting on sensitive routes, and safe handling of links and uploads ship on every response — the baseline is on, not opt-in.

Monitored with an audit trail

Administrative actions are logged, errors are captured and watched, and background jobs run behind a dead-man's-switch that alerts us if anything goes quiet.

Available and backed up

Records live on managed, continuously backed-up infrastructure with point-in-time recovery, so a bad day never means a lost season of logs.

Careful, minimal-data AI

The assistant reads only what a question needs and never edits your records. Data sent for AI processing is not used to train third-party models, and the assistant is read-only by design.

How we handle your data

Yours to keep, yours to take

We collect what the work needs

Records come from what you and your crew enter to run the farm. We don’t buy data, and we send only the minimum a feature requires to do its job.

Your records are yours

You can export your data and request deletion. Access is controlled by your organization, and a removed teammate loses access to it. Compliance records are kept as durable, permanent history on purpose.

Built to Oregon & Washington law

Our privacy practices are written to the Oregon Consumer Privacy Act and Washington’s My Health My Data Act, with added care for the worker and health-adjacent records the product handles. See our Privacy Policy and Health Data Notice.

Infrastructure

Standing on audited ground

Idunn runs on a small, deliberate set of providers, each independently audited to SOC 2 Type II and covering a distinct layer of the product:

  • Cloud hosting & computeSOC 2 Type II · ISO 27001 — serves the application and API.
  • Managed database & authenticationSOC 2 Type II · ISO 27001 · HIPAA — stores your records with encryption at rest and continuous backups.
  • Payment processingSOC 2 Type II · PCI DSS Level 1 — card data is handled by the processor; Idunn never stores it.
  • AI processingSOC 2 Type II — enterprise data terms; inputs are not used to train third-party models.
  • Transactional emailSOC 2 Type II — delivers verification and notification messages.

Our full, named subprocessor list — with links to each provider’s current audit report — is available to customers and prospects on request under NDA.

Compliance status

What we can share today

Subprocessor SOC 2 reports

Current SOC 2 Type II reports for the hosting, database, payment, and AI providers behind Idunn, available on request under NDA.

Security questionnaire

We’ll complete your vendor security questionnaire, or share a standard self-assessment and a written overview of the controls on this page.

Our own certification

We’re continuing to invest in independent certification of Idunn’s own controls. If a formal attestation is a requirement for your operation, tell us — it helps us prioritize.

Security team

Need documentation for a review?

Send us your security questionnaire or ask for our subprocessor reports and controls overview. We answer these ourselves, quickly.