Trust & security
Your records, protected like the season depends on them.
Idunn holds the operational memory of your farm — spray records, compliance, payroll, and maps. We treat protecting it as part of the job, built in from the database up, not bolted on.
The short version
Security-first, and honest about where we are
Idunn is built on infrastructure that is independently audited to SOC 2 Type II for security, availability, and confidentiality — the hosting, database, payments, and AI processing behind the product all carry current, third-party attestations. On top of that foundation we add our own controls: strict organization-level isolation, least-privilege access, encryption, and continuous monitoring.
“We’d rather tell you exactly what protects your data than wave a badge at you.”
To be straight with you: the platforms Idunn runs on hold their own SOC 2 Type II reports, and we can share those on request. Idunn AI is a young company continuing to invest in formal, independent certification of its own controls. In the meantime, everything below is real, in place today, and a complete security-documentation package is available to prospective and current customers under NDA.
How we protect data
The controls behind every record
Your data stays yours
Every record is isolated to your organization and that boundary is enforced at the database layer — not just in the app. One farm can never see another's spray logs, payroll, or maps.
Least-privilege access
Access follows the person's role. Owners, managers, and workers each see only what their job needs, and sensitive actions are gated top to bottom rather than trusted to the screen alone.
Encrypted in transit and at rest
Traffic is served over strong TLS with strict transport security, and records are encrypted where they're stored. On phones, cached field data is encrypted on the device.
Verified sign-in
Accounts sign in with email verification and a second factor, so a leaked password alone can't open the door. Sessions are short-lived and refreshed safely.
Hardened by default
Security headers, framing and content protections, rate limiting on sensitive routes, and safe handling of links and uploads ship on every response — the baseline is on, not opt-in.
Monitored with an audit trail
Administrative actions are logged, errors are captured and watched, and background jobs run behind a dead-man's-switch that alerts us if anything goes quiet.
Available and backed up
Records live on managed, continuously backed-up infrastructure with point-in-time recovery, so a bad day never means a lost season of logs.
Careful, minimal-data AI
The assistant reads only what a question needs and never edits your records. Data sent for AI processing is not used to train third-party models, and the assistant is read-only by design.
How we handle your data
Yours to keep, yours to take
We collect what the work needs
Records come from what you and your crew enter to run the farm. We don’t buy data, and we send only the minimum a feature requires to do its job.
Your records are yours
You can export your data and request deletion. Access is controlled by your organization, and a removed teammate loses access to it. Compliance records are kept as durable, permanent history on purpose.
Built to Oregon & Washington law
Our privacy practices are written to the Oregon Consumer Privacy Act and Washington’s My Health My Data Act, with added care for the worker and health-adjacent records the product handles. See our Privacy Policy and Health Data Notice.
Infrastructure
Standing on audited ground
Idunn runs on a small, deliberate set of providers, each independently audited to SOC 2 Type II and covering a distinct layer of the product:
- Cloud hosting & computeSOC 2 Type II · ISO 27001 — serves the application and API.
- Managed database & authenticationSOC 2 Type II · ISO 27001 · HIPAA — stores your records with encryption at rest and continuous backups.
- Payment processingSOC 2 Type II · PCI DSS Level 1 — card data is handled by the processor; Idunn never stores it.
- AI processingSOC 2 Type II — enterprise data terms; inputs are not used to train third-party models.
- Transactional emailSOC 2 Type II — delivers verification and notification messages.
Our full, named subprocessor list — with links to each provider’s current audit report — is available to customers and prospects on request under NDA.
Compliance status
What we can share today
Subprocessor SOC 2 reports
Current SOC 2 Type II reports for the hosting, database, payment, and AI providers behind Idunn, available on request under NDA.
Security questionnaire
We’ll complete your vendor security questionnaire, or share a standard self-assessment and a written overview of the controls on this page.
Our own certification
We’re continuing to invest in independent certification of Idunn’s own controls. If a formal attestation is a requirement for your operation, tell us — it helps us prioritize.
Security team
Need documentation for a review?
Send us your security questionnaire or ask for our subprocessor reports and controls overview. We answer these ourselves, quickly.