Security & Trust
How SYGNAL protects emergency-response data — enterprise cloud infrastructure, encryption everywhere, and privacy by default. Last updated: April 2026.
Infrastructure
SYGNAL runs entirely on Google Cloud Platform — the same enterprise infrastructure that powers Gmail and Google Workspace. We deploy on managed services so that platform patching, capacity planning, and physical security are handled by Google's engineering teams under their continuously audited security program.
Encryption
Every connection to SYGNAL is encrypted in transit with TLS 1.2 or higher. Data at rest is encrypted with AES-256 using Google-managed keys. There is no path that moves session data unencrypted at any layer of the stack.
Authentication and Access
Account access uses OAuth-based authentication with the option of email/password, Apple, or Google sign-in. Session data is scoped per session — only authenticated participants of a given session can read the data inside it. Anonymous join via short code remains authenticated on the back end, so every read or write is tied to an identity. Administrators can revoke access at any time. Enterprise licenses are validated server-side at every app launch; suspended or revoked licenses terminate active sessions within 24 hours.
Privacy and Data Minimization
We collect the minimum information needed to run the service: a display name and (if you create an account) an email address. Session telemetry is bound to the session — once a session ends, ongoing transmission stops and the session is sealed. We do not sell personal information. We follow the principles of GDPR and CCPA/CPRA. See the Privacy Policy for the full list of data categories and your rights.
Standards
Our cloud infrastructure provider (Google Cloud) holds the following independent third-party certifications, all renewed annually: ISO/IEC 27001 (Information Security Management), ISO/IEC 27017 (Cloud Services Security), ISO/IEC 27018 (Personally Identifiable Information in Public Clouds), SOC 1, SOC 2 Type II, and SOC 3 reports, PCI DSS for payment processing partners, and HIPAA-eligible services covered by BAA where applicable. These certifications cover the underlying platform SYGNAL is built on. Audit reports for the platform itself are available directly from Google upon request.
Data Residency and Retention
SYGNAL data is stored on multi-region cloud storage in North America by default. Account data is kept for the life of your subscription. Session and after-action data is retained according to your plan, and you may request deletion of any session at any time. On account closure we delete personal data within 90 days.
Responsible Disclosure
If you believe you have found a security vulnerability in SYGNAL, please email us at support@sygnalapp.com. We commit to acknowledging good-faith reports within three business days, working with you on a fix, and crediting researchers who request it. Please do not publish details until a patch is available.
For Emergency-Service IT Teams
SYGNAL is designed with the realities of fire, EMS, and hazmat operations in mind. Sessions are isolated per organization, no public who-is-on-shift telemetry is leaked, and we do not require ingestion of CAD or records-management data. If your procurement process requires a vendor security questionnaire, send it to support@sygnalapp.com and we will return it within one week.
Contact
For security, privacy, or data-rights questions: support@sygnalapp.com or call 1 (888) 306-7880.