Data governance
Active Reach classifies, protects, and controls access to your data throughout its lifecycle.
Data classification
| Classification | Examples | Handling |
|---|---|---|
| PII | Email, phone, name, address | Encrypted at rest, masked in logs, deletable on request |
| Behavioral | Events, page views, purchases | Encrypted at rest, aggregatable, TTL-based retention |
| Operational | Campaign configs, journey definitions, templates | Encrypted at rest, versioned, audit-logged |
| Derived | Segment memberships, analytics aggregates, AI scores | Encrypted at rest, recomputable from source data |
Encryption
| Layer | Method |
|---|---|
| In transit | TLS 1.3 for all API calls, webhook deliveries, and SDK communication |
| At rest (database) | AES-256-GCM for PostgreSQL (contacts, campaigns, settings) |
| At rest (analytics) | Encrypted volumes for ClickHouse (events, delivery records) |
| Secrets | AES-256-GCM for channel credentials, API keys, webhook secrets — stored in a dedicated secrets vault |
Access controls
| Control | How it works |
|---|---|
| RBAC | Role-based access — team members only see/do what their role permits |
| Workspace isolation | Data is physically separated per workspace (brand-tenant) — no cross-workspace queries outside the dedicated portfolio surface. Delivery substrate (delivery_events, timeline_cards) carries an explicit workspace_id on every row; intentionally org-level rows use the '__org__' sentinel — never an empty string — so reads can distinguish org-level from leakage |
| Regional isolation | Data stays in the cell region chosen during onboarding (India, US, EU, APAC) |
| Audit trail | Every data access and modification is logged with actor, timestamp, and IP |
| Impersonation controls | Admin impersonation is time-limited, audit-logged, and visually indicated |
PII handling
- SDK events — PII fields (email, phone, name) are identified and handled separately from behavioral data
- Analytics — aggregate metrics never contain PII; individual-level queries require
contacts.readpermission - Exports — CSV exports of contacts or events require explicit permission and are logged in the audit trail
- Logs — server logs mask PII fields automatically (email →
p***@example.com)
Customer-facing media
All customer-facing media (logos, brand assets, creative, invoices, receipts, GST bundles) is served via the canonical CDN at media.active-reach.ai, which fronts the underlying object stores. Customer surfaces use the canonical_invoice_url / canonical_receipt_url helpers — raw, end-to-end presigned URLs from object storage are never embedded in customer-visible payloads.
What’s next
- RBAC & impersonation — role-based access details
- GDPR / DPDP & deletion — handle deletion requests