Your data and privacy aren't a feature — they're the foundation. Catch is built on certified infrastructure, tested by outside experts, and transparent by default. We'll never sell your data, and we'll always tell you exactly how it's handled.
Three commitments hold the whole thing up — testing, policy, and transparency. None of them are optional.
The only way to know a system is hardened is to have someone try to break it. Our platform is regularly tested by independent North-American security firms, and remediating P0 findings is our highest priority — above shipping anything else.
Security is a practice, not a checkbox. We operate documented policies for incident response, access control, backups, and disaster recovery — each with a named owner — and review them continuously as the product evolves.
We tell you exactly what we collect, where it lives, and who can touch it. Your data is anonymized in analytics and BI, and we will never sell or share it without your explicit consent. Not now, not ever.
We stand on certified providers so you don't have to take our word for it — you can read theirs.
We run on Google Cloud, with SOC 2 Type II reports and data-center certifications.
Compliance & certificationsTraffic terminates on Google's global front end, with managed TLS and infrastructure-level DDoS protection.
Infrastructure securityData is hosted in the United States, encrypted in transit (TLS 1.3) and at rest (AES-256).
We follow the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). In analytics, BI, and with any third-party vendor, your data — and your teammates' — is always anonymized.
We're all going to have to change how we think about data protection.
We maintain a detailed catalogue of internal security policies that we share with enterprise customers on request.