Search documentation...




Hightouch is committed to building a data activation tool that's held to the highest possible security standards, as we work with large healthcare, financial and public enterprises to sync sensitive customer data to downstream tools and systems.

All Hightouch customers have the option to ensure no customer data is stored in Hightouch's Infrastructure at all.

This document breaks down our security and infrastructure in greater detail, and also outlines a couple of options each customer has for data transfer and storage, with associated considerations.


We're compliant with SOC 2 Type 2, HIPAA, GDPR, CCPA and, Privacy Shield.

In addition to these certifications:

  • We have regular third-party penetration testing (please contact your Customer Success Manager for the latest report)
  • Have automated vulnerability scanning in our platform

SOC 2 Type 2 audit report

If you are an existing Hightouch customer, contact your Customer Success Manager or ping us in your dedicated Slack channel and We're more than happy to give you our SOC 2 audit report. If you are trialing Hightouch, your point of contact can provide you with the SOC 2 audit report under NDA.

Basic architecture overview

Hightouch connects to your data warehouse (similar to any Business Intelligence tool). We can connect through an SSH or reverse SSH tunnel, and once you've obtained a connection you'll be able to define data models that you'll want to sync to downstream tools, via SQL. These data models are purely SQL definitions and do not store data.

A sync defines how data should be mapped to a destination, and how often it should run. When a Hightouch sync initiates, Hightouch executes the SQL query (associated with your data model) on your data warehouse, identifies only the incremental rows that need to be sent to the associated downstream tool (since the last subsequent sync), and will then translate these rows to the appropriate APIs.

Customer data is only flowing through our infrastructure during an "active sync," is encrypted in-transit via TLS as it's flowing through our system, and our compute instances aren't exposed to the internet (and are secured according to AWS cloud security best-practices).

After sending data downstream, Hightouch stores off full request/response payloads into a cloud storage bucket (AWS S3, Google Cloud Storage, etc.) which can be the customer's own cloud bucket within their own infrastructure. Our live debugger in the workspace actually directly queries from this cloud bucket for row-level debugging, and you can set your own custom retention policies for these logs.

Change data capture

Between syncs, Hightouch will automatically identify the incremental changes in your data models based on the primary key of the records, so that only updates (added, changed, or removed records) are sent to the destination. Two different methods are available to support this process, and it's your choice as to which one you'd like to use:

  • Warehouse Planning - This is our recommended option, and allows the diff compute to be done within the customer warehouse. To allow this, Hightouch will need WRITE access to a specific table in your warehouse, which will simply store metadata from previous syncs in your warehouse. This allows for faster syncs at higher volumes, and our larger ENT customers are typically using our warehouse planning for performance reasons.
  • Local Diffing - This is our default method, where we'll store previous diffs in an S3 bucket. If you're on our Self-Service Tier, this will be an encrypted S3 bucket that we maintain on your behalf, however on our Business tier, you can configure Hightouch to use your own S3/GCP bucket so no data is ever stored in Hightouch's infrastructure. With local diffing, the actual compute to diff each query is done in our infrastructure, so it has slightly slower sync speeds but has the benefit of not requiring WRITE access to your data warehouse and offloads some compute from your warehouse.

Bring your own bucket

On our self-service payment tiers, Hightouch stores your query results in an encrypted Amazon S3 bucket on your behalf with a retention policy of 30 days.

If you would like more control over your data, you can host your own bucket in your own AWS or Google Cloud instance on a custom pricing plan. Please contact your Hightouch account representative for details on getting access to this feature.

    Need help?

    Our team is relentlessly focused on your success. We're ready to jump on a call to help unblock you.

    • Connection issues with your data warehouse?
    • Confusing API responses from destination systems?
    • Unsupported destination objects or modes?
    • Help with complex SQL queries?

    Feature Requests?

    If you see something that's missing from our app, let us know and we'll work with you to build it!

    We want to hear your suggestions for new sources, destinations, and other features that would help you activate your data.

On this page

OverviewComplianceSOC 2 Type 2 audit reportBasic architecture overviewChange data captureBring your own bucket

Was this page helpful?