Elate App Security

We understand how important it is to keep the data you process in Elate secure. Our systems were designed with security and data protection at the forefront, and we are always improving our platform through use of industry best practices.

  • Whenever data is being transmitted or stored, it is always encrypted.
  • Elate never permanently stores the raw data it processes when using our custom integrations. We store only the aggregate information used in our graphs.
  • We may cache data from the integration services to ensure your requests are served quickly, but we never persist that data for more than 24 hours.


Connections to third party services such as Google Sheets, Salesforce, and Hubspot are always SSL encrypted. At this time, Elate has no intention to ever integrate with a service that does not encrypt its data in flight.

Website and Application

All connections to our website and application are encrypted by industry-standard protocols. If accessing our services through HTTP, you will always be redirected to HTTPS.

Data Retention

When the Elate system processes data for a metric, it may cache the source data from the third party service in order to process it efficiently. The maximum time that this data will be cached is 24 hours and it may be shorter depending on the implementation of the individual integration. An Elate metric stores the result of a calculation and is only dependent on its connection to a source system in order to provide automatic updates.

The only source data that Elate may permanently store from third party systems is the offline access tokens that the system uses to extract data periodically. The tokens are stored encrypted and will never be shared for any reason.

Once a plugin is disconnected from Elate, the platform will no longer try to communicate with that system. After a disconnect, all associated metrics will become detached from the plugin. The aggregate extract data will remain in case the user wishes to re-connect the plugin or keep the metric for historical purposes. If a metric is deleted in Elate it is permanently deleted and not archived.


The Elate platform is hosted on Heroku, which is backed by Amazon Web Services. Heroku regularly performs audits and maintains PCI, HIPAA, ISO, and SOC compliance.

For more information visit: https://www.heroku.com/compliance

Application Permissions

Elate provides an additional layer of security by allowing configurable permissions within an organization. Elate follows the principle of least privilege and we always build out permissions with the absolute minimum access required to perform any function. We would rather fail a request because of too little access than accidentally grant access to something unintentionally.

These permissions allow configurable visibility, group-level access, and private direct grants on many of the objects in our system. The permission system is a versatile tool that can allow an organization to protect its data in any way it sees fit.

Integration Permissions

Using integrations in the Elate platform requires us to store credentials to these services. By default, our implementations will use OAuth where available. This ensures that Elate’s level of access is tied directly to the user who connects the plugin. All access tokens, API keys, and any other credentials are stored encrypted and never shared.

Elate always asks for the minimum amount of permissions it needs to perform its job effectively. Elate will never write back to the target systems and will use read-only scopes where available. Integrations can be disconnected at any time, both from the Elate platform and from the integration service itself.