Security & compliance
Batida is designed with security as a foundational principle. This page describes the security measures, access controls, and compliance considerations that apply to your organization's data.
Data encryption
| Layer | Encryption method |
|---|---|
| In transit | TLS 1.3 |
| At rest | AES-256 |
| Backups | AES-256 with separate encryption keys |
All data transferred between your browser and Batida's servers is encrypted using TLS 1.3. Data stored in databases and backups is encrypted at rest using AES-256.
Authentication
Batida supports the following authentication methods:
| Method | Description |
|---|---|
| Email and password | Standard authentication with bcrypt password hashing |
| SSO (SAML 2.0) | Single sign-on via your identity provider (Enterprise plan) |
| OAuth 2.0 | Sign in with Google or GitHub |
Organization administrators can enforce SSO-only authentication and disable password-based login on the Enterprise plan.
For SAML 2.0 setup, see SAML SSO Setup.
Role-based access control (RBAC)
Batida uses RBAC to control what users can do. Roles are hierarchical -- higher roles inherit all permissions from the roles below them. Each user has one of the following roles:
| Role | Permissions |
|---|---|
| Viewer | View incidents and postmortems; cannot edit or create |
| Responder | Create incidents, add comments, update status, acknowledge and resolve incidents |
| Commander | Manage incidents, change severity, reassign, trigger escalations, publish postmortems |
| Admin | Full access: settings, members, schedules, escalation policies, billing, integrations, status pages |
| Owner | Same as Admin plus transfer ownership and delete organization |
Roles are assigned by Admins or Owners from Settings > Members. For a full breakdown, see Roles and Permissions.
Session management
- Sessions expire after 30 days of inactivity.
- Users can view and revoke active sessions from their profile settings.
- Org Admins can force-logout any user from the organization.
SOC 2 compliance
Batida maintains SOC 2 Type II compliance. Key controls include:
- Annual third-party security audits.
- Continuous infrastructure monitoring.
- Employee access controls and background checks.
- Incident response and disaster recovery procedures.
SOC 2 reports are available to Enterprise customers upon request.
GDPR considerations
Batida processes personal data (user names, email addresses) to provide its services. Under GDPR:
- Users can request a copy of their personal data.
- Users can request deletion of their personal data (subject to retention requirements).
- Organization administrators act as data controllers for their organization's data.
- Data is stored in data centers located in the user's region.
To submit a data request, contact the Batida team through the support portal.
WARNING
If your organization requires a Data Processing Agreement (DPA), contact the Batida team before storing sensitive data in the platform.