AttributeIQ Information Security Overview

    At AttributeIQ, information security is a core part of our product. Safeguarding customer data is a fundamental responsibility embedded in every layer of our platform and operations, and we’re committed to transparency in how we protect, manage, and monitor that information every day.

    Organisational Security

    AttributeIQ has adopted a security programme aligned with the global ISO 27001 standard. This gives us a structured, long-term framework for protecting both our organisation and our customers’ data. Security responsibilities are clearly owned, controls are documented, and our practices are continuously evaluated and improved.

    Our Approach to Security Compliance

    To make our continuous security work independently verifiable, we run on infrastructure independently certified to the most widely recognised standards for SaaS, SOC 2 Type II and ISO 27001. These certifications are held by our infrastructure providers, Google Cloud Platform and Supabase, and are verified annually by external independent auditors.

    We believe this model gives our customers a stronger assurance process than traditional vendor security questionnaires, which are rarely well-suited to a SaaS context. The security domains they cover are already addressed within the certified audit reports of our infrastructure stack.

    If your organisation requires a DPA, NDA, or further compliance documentation, contact us here.

    Certifications & Compliance

    SOC 2TYPE II
    SOC 2 Type IIAttributeIQ runs on GCP and Supabase, both independently audited under AICPA standards and certified SOC 2 Type II for security, availability, and confidentiality.
    ISO27001
    ISO 27001The same stack holds ISO 27001 certification, ensuring structured, continuously improved management of information security risks.
    Google OAuthAuthentication flows through Google OAuth 2.0, passwords stay encrypted and private, and are never stored or accessible within AttributeIQ’s systems.
    GDPR & CCPAAll data is stored and processed exclusively within the European Union, keeping AttributeIQ fully aligned with both GDPR and CCPA privacy requirements and obligations.

    Type of Data We Process

    The data AttributeIQ processes is exclusively GA4 analytics data: page paths, session metadata, traffic source parameters, and pseudonymous user identifiers (user_pseudo_id) assigned by GA4. This data is ingested from your GA4 property and stored securely in AttributeIQ’s infrastructure, hosted within the EU, and used exclusively to power your attribution reports.

    AttributeIQ does not process personally identifiable information. GA4 anonymises all visitor data by default. We never have access to names, email addresses, IP addresses, or any directly identifying information about your website visitors.

    HubSpot Integration (Optional)

    If you choose to connect your HubSpot account, AttributeIQ will sync the following additional data:

    • Contact information: name, email address, company name (only for contacts that have a ga4_client_id property)
    • Deal information: deal value, deal stage, deal name (associated with synced contacts)
    • Form submission data: any message or notes submitted via HubSpot forms

    This data is stored in your AttributeIQ account and used exclusively to display real contact information in Journey Explorer. You can disconnect HubSpot at any time from Settings → Integrations → HubSpot, which will remove all synced contact data.

    Data Handling Details

    Security Programme

    Sub-Processors

    The following is a complete list of third parties that process data in connection with your AttributeIQ account. No customer data is processed outside the EU.

    Sub-processorLocationPurposeData processed
    Google Cloud PlatformEU (Belgium)BigQuery data storage & query executionGA4 analytics data, ingested and stored in AttributeIQ infrastructure
    SupabaseEU (London)Auth, database, edge functionsEmail, property config, settings
    Google OAuthEU infrastructureAuthenticationEmail address only
    ResendEU-hostedTransactional emailEmail address for account notifications
    HubSpotUS/EU (depends on your HubSpot account region)Contact and deal data sync (optional)Contact name, email, company, deal value, deal stage (only for accounts with HubSpot connected)

    Frequently Asked Questions

    Further questions? Email us at hello@attribute-iq.com