At Catalytic, we are dedicated to providing a high level of security to our customers. We combine a thorough security framework, internal and external audits, and appropriately trained employees to ensure that your data is protected. Please see below for an overview of the Security controls and procedures we have in place. Also see our Contact Catalytic section below for links to contact us and manage Catalytic communications.

Control Environment

  • We have a dedicated Compliance Team that implements and monitors security-related controls
  • The Catalytic security framework consists of policies, procedures and controls that align to SOC 2, HIPAA, and GDPR requirements
  • As of 6/30/18, Catalytic has achieved successful completion of both SOC 2 and HIPAA attestation examinations, performed by an independent CPA firm
  • We utilize a third-party, cloud-based Data Center, which maintains network architecture and data layer controls that meet the requirements of the most security-sensitive organizations. The Data Center has several security-related certifications, including ISO 27001, SOC 2, FedRAMP, HIPAA, NIST, and several others
  • Our employees attend Security Awareness Training, and are required to adhere to our Code of Conduct
  • Annual Risk Assessments are performed to ensure we are addressing current as well as emerging risks
  • We follow Change Management procedures for all changes to the organization and the Catalytic platform

Physical Security

  • Our Data Centers also have controls in place to protect from man-made and natural security risks. Controls are in place at the perimeter, infrastructure, and environmental layers to ensure strong physical protection, and are audited per the security certifications listed above
  • Our offices are secured with keycards, automatic locks, alarms and security cameras

Application and Network Security

  • We have a dedicated QA department that tests all new features before release
  • Our testing and staging environments are separate from the production environment, and no actual customer data is ever used for testing
  • We have automated vulnerability scans that run at regular intervals
  • We engage a third party auditor to perform quarterly Penetration testing
  • We have automated monitoring, logging, and system alerts
  • We control logical system access, and review regularly


  • Customer data is encrypted in transit and at rest, and within the database


  • We perform regular backups of customer data
  • We have documented Incident Response and Disaster Recovery procedures and dedicated response teams

Other Product Security Features

  • Our customers have the option to use Single Sign-on (SSO) for their teams
  • Access and privileges in Catalytic are governed by role, as all users are either designated as a ‘user’ or ‘admin,’ based on the type of access required
  • Customers can mark sensitive data as ‘Confidential’ to ensure that only approved members of their teams can see certain information

GDPR (General Data Protection Regulation)

We have several policies and controls that address GDPR requirements. The controls include areas such as options for opt-in/opt out of communications, procedures surrounding data retention, data breach procedures, DPIA (Data Protection Impact Assessment) procedures, procedures related to sub-contractors, as well ensuring the proper treatment of individual’s rights and subject access requests. This new regulation will help enhance the security surrounding the personal data of all Catalytic customers.

See the Contact Catalytic section below for any GDPR-related inquiries, as well as the additional GDPR information below.

More on GDPR:

What choices and rights do I have?

If you are a Catalytic user and provide us with your Personal Information, you have several rights with respect to that information. Upon request, Catalytic will provide Customers with information about the type of data processed, including Personal Information. An individual who wishes to access, review, correct, amend, request, or delete data should contact Catalytic and we will execute the request if we are the Data Controller and, if Catalytic is a Data Processor, direct the request appropriately to the Data Controller, which in many instances will be to Catalytic’s customer, the user’s employer. Data controllers who wish to exercise their right of data portability may also do so here. We will respond to requests within 30 days.

How do I submit a Subject Access Request (SAR)?

You may submit requests here: Submit a Subject Access Request (SAR)

How do I opt out of communications?

You may unsubscribe from Catalytic communications by clicking on the “unsubscribe” link located on the bottom of our emails, or by clicking here: Opt-out of our communications

Note that opting out of communications may prevent you from learning about new Catalytic features, and that customer and users cannot opt out of receiving service or transactional emails related to their Catalytic account.

How do I opt in (or back in) to communications?

You may subscribe to Catalytic communications by clicking here: Sign up (opt-in) to receive our communications

How long do we keep customer information?

We will retain the personal data we process on behalf of our customers for as long as needed to provide services to our customer. Catalytic will retain the personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Does Catalytic use any third parties?

We use third parties to provide some functionality and integrations within the Catalytic platform. You have the choice to choose which of these features and integrations to use.

Contact Catalytic

If you have any Security related questions, concerns, or comments, please contact us using one of the links below. For any other questions, contact us at

Send a security question to our team

Submit a Subject Access Request (SAR)

Opt out of our communications

Sign up (opt-in) to receive our communications

Request a copy of our SOC 2 or HIPAA Reports