We are dedicated to providing a high level of security to our customers


At Catalytic, we combine a thorough security framework, internal and external audits, and appropriately trained employees to ensure that your data is protected. Please see below for an overview of the security controls, procedures and support we have in place. 


Control environment

  • Catalytic maintains SOC 2 Type 2 and HIPAA attestation examinations, performed annually by an independent CPA firm

  • We undergo quarterly third party penetration testing to help ensure the security of our platform

  • We have a dedicated compliance team that implements and monitors security-related controls

  • The Catalytic security framework consists of policies, procedures and controls that align to SOC 2, HIPAA, and GDPR requirements

  • We utilize a third-party, cloud-based data center, which maintains network architecture and data layer controls that meet the requirements of the most security-sensitive organizations. The data center has several security-related certifications, including ISO 27001, SOC 2, FedRAMP, HIPAA, NIST, and several others

  • Our employees attend security awareness training, and are required to adhere to our code of conduct

  • Annual risk assessments are performed to ensure we are addressing current as well as emerging risks

  • We follow change management procedures for all changes to the organization and the Catalytic platform


Physical security

  • Our data centers also have controls in place to protect from man-made and natural security risks. Controls are in place at the perimeter, infrastructure, and environmental layers to ensure strong physical protection, and are audited per the security certifications listed above

  • Our offices are secured with keycards, automatic locks, alarms and security cameras


Application and network security

  • We have a dedicated QA department that tests all new features before release

  • Our testing and staging environments are separate from the production environment, and no actual customer data is ever used for testing

  • We have automated vulnerability scans that run at regular intervals

  • We engage a third party auditor to perform quarterly penetration testing

  • We have automated monitoring, logging, and system alerts

  • We control logical system access, and review regularly



  • Customer data is encrypted in transit and at rest, and within the database



  • We perform regular backups of customer data

  • We have documented incident response and disaster recovery procedures and dedicated response teams


Other product security features

  • Our customers have the option to use single sign-on (SSO) for their teams

  • Access and privileges in Catalytic are governed by role, as we provide different levels of user permissions, including "admin," based on the type of access required

  • Customers can mark sensitive data as "confidential" to ensure that only approved members of their teams can see certain information or processes


GDPR (General Data Protection Regulation)

We have several policies and controls that address GDPR requirements. The controls include areas such as options for opt-in/opt out of communications, procedures surrounding data retention, data breach procedures, DPIA (Data Protection Impact Assessment) procedures, procedures related to subcontractors, as well as ensuring the proper treatment of individual’s rights and subject access requests. This new regulation will help enhance the security surrounding the personal data of all Catalytic customers.

See more on GDPR and contact us for any GDPR-related inquiries below.


More on GDPR:

What choices and rights do I have?

If you are a Catalytic user and provide us with your personal information, you have several rights with respect to that information. Upon request, Catalytic will provide customers and users with information about the type of data processed, including personal information. An individual who wishes to access, review, correct, amend, request, or delete data should contact Catalytic and we will ensure the request is fulfilled. As we are a data processor, we may need to communicate with the data controller to fulfill requests. Data controllers who wish to exercise their right of data portability may also do so here. We will respond to requests within 30 days.


How do I submit a Subject Access Request (SAR)?

You may submit requests here: Submit a Subject Access Request (SAR)


How do I opt out of communications?

You may unsubscribe from Catalytic communications by clicking on the "unsubscribe" link located on the bottom of our emails, or by clicking here: Opt-out of our communications

Note that opting out of communications may prevent you from learning about new Catalytic features, and that customer and users cannot opt out of receiving service or transactional emails related to their Catalytic account.


How do I opt in (or back in) to communications?

You may subscribe to Catalytic communications by clicking here: Sign up (opt-in) to receive our communications


How long do we keep customer information?

We will retain the personal data we process on behalf of our customers for as long as needed to provide services to our customer. Catalytic will retain the personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.


Does Catalytic use any third parties?

We use third parties to provide some functionality and integrations within the Catalytic platform. You have the choice to choose which of these features and integrations to use.


Contact Catalytic

If you have any security related questions, concerns, or comments, please contact us using one of the links below. 

For any other questions, contact us at