Scalient IQ runs against your real revenue data — but never inside your environment. Read-only OAuth, AES-256 encryption, AWS US infrastructure, and SOC 2 Type II controls aligned with formal audit in progress. Every external action requires human approval through the HITL Approval Queue.
SiQ engagements operate in two modes with very different access scopes. Both start read-only.
Strictly read-only. All OAuth scopes are read-only. SiQ cannot write, modify, or delete data in client systems. Output is delivered as a Signal Health Report — no actions are ever taken in your CRM or stack.
Read access plus optional, customer-authorized write-back. Any write action (CRM field updates, outbound communications, play triggers) requires a separate OAuth grant and passes through the HITL Approval Queue before execution. No write action fires without explicit human approval.
| Authentication | OAuth 2.0 with PKCE (where supported). Standard vendor OAuth flows identical to HubSpot, Salesforce, Gong, and Outreach integrations. |
|---|---|
| Access Level | Assessment engagement: strictly read-only. All OAuth scopes are read-only; SiQ cannot write, modify, or delete data in client systems. Platform engagement: read access plus optional write-back capabilities. Any write scope requires separate customer authorization, and every write action passes through the HITL Approval Queue before execution. |
| Connection Method | REST API over TLS 1.2+ encrypted connections. No direct database access. No VPN tunnels. No agents or code installed in client environments. |
| Scope Transparency | Full list of OAuth scopes provided before authorization. Client reviews and approves each scope explicitly. |
| Revocation | Client can revoke API access at any time from their CRM admin panel. Revocation is immediate and requires no SiQ involvement. |
| Data in Transit | All data transmitted over TLS 1.2+ encrypted connections. No unencrypted data transfer at any point. |
|---|---|
| Data at Rest | Encrypted using AES-256. All client data stored in isolated, logically separated environments. |
| Data Residency | Client data processed and stored within US-based cloud infrastructure (AWS). No cross-border data transfer without explicit client consent. |
| Data Retention | Assessment data retained for 90 days post-delivery for support purposes, then permanently deleted. Platform clients: data retained for duration of contract + 30-day grace period. |
| Data Deletion | Client can request full data deletion at any time. Deletion completed within 14 business days with written confirmation. |
| PII Handling | SiQ Cortex processes business contact records (name, email, title, company) as provided by the client's CRM. No consumer PII. No financial data. No health data. |
| Cloud Provider | Amazon Web Services (AWS), US regions. |
|---|---|
| SOC 2 Alignment | Security controls aligned to SOC 2 Type II framework. Formal audit in progress.Audit in Progress |
| Access Control | Role-based access (RBAC). All internal access requires MFA. Principle of least privilege enforced. |
| Logging & Monitoring | All API access logged with timestamps, user identity, and action type. Anomaly detection active on all client data endpoints. |
| Incident Response | Documented incident response plan. Client notification within 72 hours of confirmed breach involving their data. |
| Vulnerability Management | Regular dependency scanning and patching. No software installed in client environments. No VPN tunnels. No direct database access. All integrations are customer-authorized, outbound API connections from SiQ infrastructure. |
SiQ Cortex uses AI agents to analyze signals, score pipeline, and generate recommendations. In Assessment Mode, all output is delivered as a read-only report — no actions are taken in client systems.
In Platform Mode, any external-facing action (outbound communications, CRM write operations, stakeholder alerts) requires explicit human approval through the HITL Approval Queue before execution.
HITL governance is a core architectural pattern, not an optional feature. It applies to every AI-generated recommendation that would result in a write action or external communication, including our AI SDR agent, Gage. No automated action fires without a human reviewing and approving it.
| SOC 2 Type II | Controls aligned; formal audit in progress.Audit in Progress |
|---|---|
| CCPA | Compliant. No sale of personal information. Deletion requests honored within 14 business days.Compliant |
| GDPR | Not currently processing EU personal data. Framework in place for future EU expansion.Ready |
| Data Processing Agreement | Available on request. Standard DPA covering processing scope, sub-processors, and deletion obligations. |