Black-and-white line illustration of a folder tree representing projects and studies.
Black-and-white line illustration of a folder tree representing projects and studies.

Security and compliance

Authentication flow, role-based access and compliance standards

Overview

This page summarises how we protect customer data and what you should expect when building on the Ballpark API. Replace the placeholders with confirmed details from engineering and legal.

Data protection

  • Encryption in transit: TLS 1.2+ for all traffic

  • Encryption at rest: AES-256 for database and object storage

  • Backups: automated encrypted backups with periodic restore tests [confirm RPO/RTO]

  • Data residency: primary region [confirm region], optional residency controls [if applicable]

Access control

  • OAuth 2.0 with scoped tokens; follow least-privilege and request only the scopes you need

  • Personal access tokens may be available for single-user automation

  • See Scopes & permissions for a full mapping from resources to scopes

Data retention and deletion

  • Retention: default retention for responses, transcripts and media is specific to customer needs and in compliance with GDPR requirements

  • Deletion: permanent deletion on user request via the product or API. Data will be backed up for 30 days and then permanently deleted.

  • Exports: projects, responses, transcripts and media can be exported using Guides

Subprocessors

  • We work with carefully vetted subprocessors for hosting, storage and analytics

  • Full list and DPAs available on request via our https://trust.ballparkhq.com

Incident response

  • 24/7 monitoring and alerting [confirm coverage]

  • Triage severity levels and playbooks

  • Customer notification window of [confirm hours] for security incidents impacting data

Responsible disclosure

  • Report potential vulnerabilities to security@ballparkhq.com

  • Please include steps to reproduce, affected endpoints and any proof of concept

  • Coordinated disclosure policy and acknowledgement programme [link]

Compliance and audits

Can be accessed through our trust portal https://trust.ballparkhq.com

  • SOC II type 2 report

  • Penetration test report

  • Policies available on request: Information Security Policy, Data Protection Policy, Incident Response Policy

References

  • Authentication

  • Scopes & permissions

  • Terms of use