Searching… for

No results found.

Try a different search term or check your spelling.

Showing all results.

Meet API v2.0 with UK support 🇬🇧 Try it out

Security at Geocodio

What your IT and compliance teams need to know before sending Geocodio your address data.

Self-Serve and Enterprise

Geocodio is available on two platforms: Self-Serve and Enterprise. Self-Serve is hosted in Europe and designed for teams whose security needs are met by strong defaults, such as HTTPS and encryption at rest. Enterprise is designed for organizations with sophisticated security requirements, including SOC 2 Type II, HIPAA/HITECH, SAML SSO, full encryption at rest, and on-premises deployment.

Data ownership and privacy

Your data is yours, not ours. Geocodio does not sell it, share it with third parties, or use it to train AI. Read our privacy statement here and you can see our Terms of Use here.

You can delete your account at any time via the dashboard.

Data retention

See our full data retention policy here. Enterprise accounts can customize the data retention policy.

Self-Serve

  • Spreadsheet uploads are retained for up to six weeks after processing unless you’ve elected to turn them into a map, in which case they are stored indefinitely.

  • Single API requests are stored for up to 46 days.

  • Contents of batch API requests are never stored.

  • Contents of lists API requests are stored for up to 72 hours.

Enterprise

  • Spreadsheet uploads are retained for up to 72 hours after processing unless you’ve elected to turn them into a map, in which case they are stored indefinitely.

  • Contents of single and batch API requests are never stored.

  • Contents of lists API requests are stored for up to 72 hours.

Data encryption

Self-Serve Enterprise
Encryption in transit (HTTPS)
Uploaded spreadsheets encrypted at rest (AES-256)
Full encryption at rest, including logs Some may be stored in plain text

HTTP endpoint

While HTTPS is recommended, for some use cases, HTTP may be preferable. Self-serve customers may explicitly decide to use the non-HTTPS API endpoint.

Infrastructure resilience

Geocodio runs on dedicated physical servers. No shared hardware, no noisy neighbors.

  • Multiple data centers operated for full redundancy

  • Electronic access controls, high-security perimeters, 24/7 video monitoring

  • Over 2 billion lookups processed monthly

Read more about how we ensure high availability.

Ongoing system updates and monitoring

  • Automated patching across internal and external services

  • Principle of least privilege applied to firewall rules and permissions

  • Internal network traffic kept internal wherever possible

  • Third-party vendor runs ongoing port and vulnerability scans

Customers on our Enterprise platform are able to view copies of our annual penetration tests.

Audit logs

All Enterprise accounts include an audit log capturing date, time, IP address, action, and user email. Compliance users can download audit logs for the entire organization.

User security

Team Accounts with role-based access control are available on Flex and Unlimited plans (both Self-Serve and Enterprise). Enterprise Unlimited and On-Premises customers have the ability to create custom roles.

Two-factor authentication is available for all accounts. Team account administrators have the ability to enforce two-factor authentication. Two-factor authentication is always required for Enterprise accounts.

Enterprise accounts have 15-minute dashboard inactivity kick-outs.

SAML SSO is available for Enterprise accounts. See more here.

Compliance

Geocodio Enterprise was built for organizations handling sensitive data or operating under heightened security requirements. Geocodio Enterprise runs on entirely separate infrastructure than Self-Serve and there are no shared infrastructure resources between the platforms.

  • SOC 2 Type II: audited annually

  • HIPAA/HITECH-compliant for US health data, including BAA

As Geocodio Enterprise runs on entirely separate infrastructure, our SOC 2 Type II audit and external penetration tests only apply to the Enterprise platform.

Please see more about Geocodio Enterprise here.

On-premises deployment

For organizations that can't send data outside their own environment, the Geocodio geocoding API is available on-premises. (Distance and spreadsheet uploads are not available.) See more here.

Questions from your security team?

Email Geocodio directly.

Get in touch

Related Resources

Responsible Disclosure Policy

Security researcher? Please read our Responsible Disclosure Policy.

Learn more

Infrastructure

Geocodio's resilient, hardened infrastructure processes over 2 billion lookups per month.

Learn more

Privacy Practices

Details Geocodio's privacy practices, including GDPR and CCPA compliance.

Learn more

Data Retention Policy

How long we store data for.

Learn more

Data Sources

Geocodio only uses publicly-available datasets, powered by our in-house geocoding engine.

Learn more

Contact Us

Does your IT security team have questions about our security practices? Please reach out to us.

Email us

By the time you finish reading this page, the Geocodio API will have processed 5.3 million lookups.

Your data could be next...

Get an API key Upload a spreadsheet