KPI Tree

Security

Enterprise-grade security and compliance. By design.

SOC 2 Type II, SSO and directory sync, audit log streaming, and an architecture that does not store your data.

Security and compliance without compromise.

Built for organisations where security reviews are thorough and compliance is mandatory.

SOC 2® Type II

The gold standard for compliance. Unlike a point-in-time audit, Type II verifies our controls operate effectively over an extended period, independently examined for Security, Availability and Confidentiality.

AICPA SOC 2 badge
Security
Availability
Confidentiality
Trust Center
Continuous Monitoring
Controls Verified
CREST Penetration Testing
Microsoft Entra ID
NetIQ
LastPass
Keycloak
PingIdentity
Shibboleth
ClassLink
Auth0
KPI Tree

SSO. One click, your identity provider.

Secure access through your identity provider. SAML 2.0 and OpenID Connect supported. Your team signs in with credentials they already have.

Microsoft Entra IDMicrosoft Entra ID
UserUserUser
OktaOkta
UserUserUser
Google WorkspaceGoogle Workspace
UserUserUser
KPI Tree
KPI Tree
John Doe
John Doe
john@company.com
Sarah Miller
Sarah Miller
sarah@company.com
Alex Johnson
Alex Johnson
alex@company.com
3 users synced

Directory sync. Users managed automatically.

Sync users directly from your corporate directory (Microsoft Entra ID, Okta, Google Workspace). Access is provisioned and deprovisioned automatically as your team changes.

Enterprise+
KPI Tree
[AUDIT] User login: john@acme.io
[ACCESS] Dashboard viewed: Sales
[UPDATE] Metric edited: Revenue
[ALERT] Threshold hit: Churn Rate
Streaming logs...
LOG
KPI Tree
DatadogDatadog
Receiving logs...
>
Splunk
Indexing events...

Audit logs. Stream to your SIEM.

Stream user activity and security audit logs to your existing SIEM provider. Compatible with services like Datadog and Splunk for centralised monitoring and compliance.

Enterprise+
Corporate VPN
IP: 10.0.1.42
UserUser
ZscalerZscaler
IP: 165.225.80.0/23
User
Unknown IP
IP: 185.220.101.45
Access Denied
KPI Tree
ALLOW10.0.1.42
ALLOW165.225.80.15
DENY185.220.101.45
Protected access

Endpoint protection. Restrict access to approved IPs.

Restrict login attempts to your approved IP ranges only. If you use a service like Zscaler, access is limited to your secure network, preventing unauthorised access from outside.

Your Database
Original data
revenue: £1.2M
users: 523
Google HSM
Hardware Security
FIPS 140-2 L3
KPI Tree
Encrypted Cache
aGx7Ks9mN2pQ4...
3fB9nD5xZ1wE7...

HSM encryption. Hardware-backed, always encrypted.

By design we fetch your data on the fly rather than storing it. Anything temporarily cached is encrypted at rest using a Hardware Security Module (HSM).

Enterprise+
Your Database
Original data
revenue: £1.2M
users: 523
Your KMS
Customer Key
You control
KPI Tree
Encrypted Cache
aGx7Ks9mN2pQ4...
3fB9nD5xZ1wE7...

BYOK. Bring your own key.

For customers in regulated industries, bring your own key to encrypt your data at rest with a key you control.

Read-only by design. Your data stays in your warehouse.

KPI Tree connects to your sources with scoped, read-only credentials and runs one scheduled query per metric. It is an architecture that does not store your data, so a security review starts from a small, legible surface.

  • Scoped, read-only service credentials
  • TLS verified on every connection
  • Secrets encrypted, never leaving the encrypted store

Warehouse connection

Connected
Hostanalytics-prod.••••••.cloud
Service credential••••••••••••
TLS verifiedScoped service credentialsSecrets encrypted

Read-only access · credentials never leave the encrypted store

Something your security team needs? Bring your questionnaire.

We work with procurement and security reviews directly.