Compliance
SignalSmith’s warehouse-native architecture provides a strong foundation for regulatory compliance. Because customer data stays in your warehouse, you maintain direct control over data residency, access, and retention. This page outlines how SignalSmith supports GDPR, CCPA, and SOC 2 requirements, and which governance features help you meet compliance obligations.
GDPR
The General Data Protection Regulation (GDPR) applies to organizations that process personal data of EU residents. SignalSmith supports GDPR compliance through architectural design and specific platform features.
Data Processing
- Warehouse-native processing — Customer data is processed via SQL queries in your warehouse. SignalSmith acts as a data processor, not a data controller. Your warehouse is the authoritative store, and your organization retains controllership.
- Data Processing Agreements (DPA) — SignalSmith provides a DPA that covers the metadata and operational data stored in the platform. Contact your account team to execute a DPA.
- Data minimization — Field mapping ensures only necessary data is sent to destinations. Send only the fields each destination needs.
- Purpose limitation — Destination filters can enforce which audiences sync to which tools, preventing data from flowing to unintended destinations.
Right to Deletion (Right to Erasure)
When a data subject requests deletion under Article 17, you need to remove their data from all systems. SignalSmith supports this workflow:
- Delete from your warehouse — Remove the individual’s records from your source tables using your existing data deletion processes
- Re-evaluate audiences — On the next audience evaluation, the individual will automatically exit all audiences they were a member of
- Sync removals to destinations — Audience syncs in Mirror mode will remove the individual from destination lists on the next sync run
- Audit trail — The deletion propagation is logged in the audit trail, providing evidence of compliance
For immediate removal from destinations (without waiting for the next scheduled sync), trigger a manual sync run after deleting the source data.
Consent Management
The Events module supports consent-based data processing:
- Consent categories — Define consent categories (e.g.,
marketing,analytics,functional) and tag events accordingly - Forwarding rules — Configure event forwarding rules that respect consent status. Events are only forwarded to destinations when the user has granted the relevant consent category.
- Consent events — Track consent grants and revocations as events, providing an auditable record of consent state changes.
Lawful Basis Documentation
While SignalSmith doesn’t enforce a specific lawful basis framework, its governance features help you document and implement your chosen approach:
- Audience descriptions — Document the purpose and lawful basis for each audience
- Destination filters — Encode data flow restrictions as enforceable policies
- Audit logs — Provide evidence of what data was processed, when, and why
CCPA
The California Consumer Privacy Act (CCPA) grants California residents rights over their personal information. SignalSmith supports CCPA compliance through the following mechanisms.
Opt-Out Support (Right to Opt-Out of Sale)
If you sell or share personal information (as defined by CCPA), consumers have the right to opt out. SignalSmith supports this through:
- Suppression audiences — Build audiences of opted-out consumers and sync them as suppression lists to ad platforms and data brokers
- Destination filters — Block specific audiences from being sent to destinations categorized as data sales channels
- Event consent — Honor opt-out signals in event forwarding rules to stop sharing behavioral data
Data Access Requests (Right to Know)
When a consumer requests to know what personal information you’ve collected:
- Query your warehouse directly for the consumer’s records
- Use the Profile Explorer to view the unified profile
- Export the relevant data from your warehouse using your standard data access processes
SignalSmith’s metadata (audience memberships, sync history) can be retrieved via the API for inclusion in the access response.
Do-Not-Sell Compliance
For destinations that involve data sharing that could qualify as a “sale” under CCPA:
- Tag destinations — Categorize destinations by their data sharing purpose
- Destination filters — Create rules that prevent opted-out consumers from being synced to tagged destinations
- Automated enforcement — Once configured, the rules apply automatically to all syncs, removing the risk of manual errors
Data Deletion Requests
The deletion workflow mirrors GDPR’s right to erasure (see above). Delete the consumer’s data from your warehouse, and SignalSmith propagates the removal through audience evaluations and sync runs.
SOC 2 Type II
SOC 2 Type II is an auditing standard that evaluates an organization’s controls over security, availability, processing integrity, confidentiality, and privacy. SignalSmith provides capabilities that support SOC 2 compliance across several trust service criteria.
Security
| Control Area | SignalSmith Capability |
|---|---|
| Access control | RBAC with defined roles (Admin, Editor, Viewer). All access authenticated via Firebase/GCP Identity Platform. |
| Encryption in transit | TLS 1.2+ for all connections |
| Encryption at rest | AES-256 for credentials, bcrypt for API keys |
| Logging and monitoring | Comprehensive audit log covering all user actions, API calls, and system operations |
| Change management | All configuration changes logged with actor, timestamp, and before/after state |
Availability
| Control Area | SignalSmith Capability |
|---|---|
| System monitoring | Health endpoints (/healthz), sync health dashboards, SLA compliance tracking |
| Error handling | Sync run error capture, retry logic, failure notifications |
| Capacity planning | Throughput and duration metrics for capacity assessment |
Processing Integrity
| Control Area | SignalSmith Capability |
|---|---|
| Data validation | Schema validation, event contracts, filter validation |
| Processing accuracy | SQL-native computation with transparent queries, preview/estimate before save |
| Error detection | Per-record error tracking in sync runs, anomaly detection in audience trends |
Confidentiality
| Control Area | SignalSmith Capability |
|---|---|
| Data classification | Warehouse-native architecture limits data exposure. Credentials encrypted and never logged. |
| Access restrictions | RBAC, access filters for row-level access, destination filters for data flow control |
| Data disposal | Configurable retention policies with automated purge |
Privacy
| Control Area | SignalSmith Capability |
|---|---|
| Consent management | Event-level consent categories and forwarding rules |
| Data minimization | Field mapping restricts what data reaches each destination |
| Individual rights | Deletion propagation, access request support, opt-out enforcement |
Data Residency
SignalSmith’s warehouse-native architecture gives you direct control over data residency:
- Customer data — Resides in your data warehouse, in the region you chose when provisioning it. SignalSmith does not move this data to another region.
- SignalSmith metadata — Stored in the region where your SignalSmith deployment is hosted. For self-hosted deployments, you choose the region. For managed deployments, discuss region requirements with your account team.
- Destination data — Data sent to third-party destinations is subject to those destinations’ data residency policies. Review each destination’s data handling practices independently.
Governance Features Supporting Compliance
SignalSmith provides several governance features that help implement and enforce compliance policies:
| Feature | Compliance Benefit |
|---|---|
| Destination Filters | Control where data flows — prevent PII from reaching unauthorized destinations |
| Access Filters | Row-level access control — restrict data visibility by region, team, or sensitivity |
| RBAC | Least-privilege access — define who can see and do what |
| Audit Logs | Full accountability trail — who did what, when, and how |
| Consent Management | GDPR/CCPA consent enforcement for event forwarding |
| Event Contracts | Data quality at collection — enforce schemas on incoming events |
| AI Guardrails | Safety controls for AI operations — approval workflows and deny policies |
Related Resources
- Data Handling — How SignalSmith processes and protects data
- Govern — RBAC, destination filters, and access filters
- Events — Event collection, consent management, and forwarding
- Destination Filters — Data flow restrictions