Security and compliance
Authentication flow, role-based access and compliance standards
Overview
This page summarises how we protect customer data and what you should expect when building on the Ballpark API. Replace the placeholders with confirmed details from engineering and legal.
Data protection
Encryption in transit: TLS 1.2+ for all traffic
Encryption at rest: AES-256 for database and object storage
Backups: automated encrypted backups with periodic restore tests [confirm RPO/RTO]
Data residency: primary region [confirm region], optional residency controls [if applicable]
Access control
OAuth 2.0 with scoped tokens; follow least-privilege and request only the scopes you need
Personal access tokens may be available for single-user automation
See Scopes & permissions for a full mapping from resources to scopes
Data retention and deletion
Retention: default retention for responses, transcripts and media is specific to customer needs and in compliance with GDPR requirements
Deletion: permanent deletion on user request via the product or API. Data will be backed up for 30 days and then permanently deleted.
Exports: projects, responses, transcripts and media can be exported using Guides
Subprocessors
We work with carefully vetted subprocessors for hosting, storage and analytics
Full list and DPAs available on request via our https://trust.ballparkhq.com
Incident response
24/7 monitoring and alerting [confirm coverage]
Triage severity levels and playbooks
Customer notification window of [confirm hours] for security incidents impacting data
Responsible disclosure
Report potential vulnerabilities to security@ballparkhq.com
Please include steps to reproduce, affected endpoints and any proof of concept
Coordinated disclosure policy and acknowledgement programme [link]
Compliance and audits
Can be accessed through our trust portal https://trust.ballparkhq.com
SOC II type 2 report
Penetration test report
Policies available on request: Information Security Policy, Data Protection Policy, Incident Response Policy
References
Authentication
Scopes & permissions
Terms of use