Security at FUNEL

Security and trust are foundational to how FUNEL is built and operated. FUNEL is a B2B sales-intelligence platform that finds verified business contact records from publicly available professional and business information, enriches them with AI, runs email outreach, and syncs to your CRM. This page explains how we protect your data through encryption, access controls, compliance programs, and a disciplined approach to privacy and incident response. Effective date: June 17, 2026.

Effective date:

Our security commitment

FUNEL protects customer data with encryption in transit and at rest, least-privilege access controls, a documented information-security program, and continuous monitoring. Security is treated as a core product requirement, not an afterthought, and is reviewed as the platform evolves.

We design our systems so that the right people have access to the right data for the right reasons, and no more. The sections below describe the specific safeguards we operate across encryption, infrastructure, access, compliance, privacy, application security, monitoring, and reliability.

We aim to be precise about what we do today rather than over-promise. Where a program is ongoing, we say so. If you have questions about any control described here, contact us at security@funel.to.

Data encryption

All data is encrypted both in transit and at rest. Connections to FUNEL are protected with TLS 1.2 or higher, and data stored on our systems is encrypted at rest using AES-256. This protects your information as it moves over the network and while it sits in our databases and backups.

In transit

  • TLS 1.2 or higher for all traffic between your browser or systems and FUNEL.
  • Modern cipher suites and certificate management, with weak and deprecated protocols disabled.
  • Encrypted connections to the external services and integrations FUNEL communicates with on your behalf.

At rest

  • AES-256 encryption for stored data, including primary databases and backups.
  • Encryption keys managed through our cloud hosting provider's key-management services with restricted access.
  • Secrets and credentials stored in protected secret stores rather than in source code or plain configuration.

Infrastructure security

FUNEL runs on a reputable cloud platform with network isolation and hardened configurations. Production systems are separated from development environments, network access is restricted by default, and infrastructure is configured to industry-recognized baselines.

  • Hosting on an established cloud hosting provider with strong physical and environmental controls in its data centers.
  • Network isolation using private networks, segmentation, and firewall rules that deny traffic by default and permit only what is required.
  • Hardened server and service configurations, with administrative interfaces not exposed to the public internet.
  • Separation between production, staging, and development environments to limit the blast radius of any single change.
  • Infrastructure managed through controlled, reviewable changes rather than ad hoc manual edits.

Access control

Access to FUNEL systems and customer data follows the principle of least privilege. Permissions are role-based, multi-factor authentication is required for staff access to sensitive systems, and access is reviewed and revoked as roles change.

How we control internal access

  • Least-privilege, role-based access so staff can reach only the data their role requires.
  • Multi-factor authentication (MFA) required for staff access to production and sensitive systems.
  • Periodic access reviews and prompt removal of access when someone changes roles or leaves.
  • Audit logging of administrative and privileged actions.

Authentication options for your team

  • Standard account authentication for all customers, including sign-in with Google and Microsoft.
  • Role-based permissions within your workspace to control what each team member can see and do.

Compliance and certifications

FUNEL is built to align with GDPR, UK GDPR, and CCPA/CPRA, and runs a documented information-security program. We make a signed Data Processing Agreement (DPA) available to customers and are transparent about how data is processed. These frameworks govern how we secure, handle, and account for the data in our care.

  • Information security: a documented program covering the security of our systems and operations, reviewed as the platform evolves.
  • GDPR and UK GDPR: data-protection practices aligned to these regulations, including a lawful basis for processing and respect for individual rights.
  • CCPA/CPRA: practices aligned to California privacy law, including the rights to access, delete, and opt out.
  • Signed DPA: available to customers who need a data processing agreement in place, including standard contractual terms for cross-border transfers where applicable.
  • Data-processing transparency: we describe our sub-processors by category (such as cloud hosting, email delivery, payment processing, and analytics) and provide a current list on request.

To request our DPA or the current sub-processor list, contact privacy@funel.to.

Data protection and privacy

FUNEL practices data minimization, applies retention limits, deletes personal data on valid request, and does not sell personal information for money. The business contact data we process about third parties comes from publicly available professional and business information, processed on the lawful basis of legitimate interest with a clear right to object.

Principles we apply

  • Data minimization: we collect and retain only what is needed to deliver the service.
  • Retention limits: data is kept for as long as it is needed for the service or to meet legal obligations, then deleted or anonymized.
  • Deletion on request: we honor valid right-to-be-forgotten and deletion requests promptly, generally within about 30 days.
  • No selling of personal information: FUNEL does not sell personal information for money.
  • Purpose limitation: data is used to provide the contracted service, not repurposed in ways that conflict with that purpose.

Individuals whose business contact information FUNEL processes can object to or request deletion of their data at privacy@funel.to. Our Privacy Policy describes these rights and the lawful basis for processing in full.

Application security

FUNEL follows a secure software development lifecycle so that security is built in before code ships. Code changes are peer-reviewed, dependencies and code are scanned for known vulnerabilities, and we run periodic penetration testing to find and fix issues before they can be exploited.

  • Secure SDLC: security considerations built into design, development, and release.
  • Code review: changes are reviewed by another engineer before reaching production.
  • Dependency and vulnerability scanning: automated checks for known vulnerabilities in our code and third-party libraries.
  • Periodic penetration testing: independent testing to validate our defenses and prioritize remediation.
  • Prompt patching: a process to evaluate and apply security updates based on severity.

Monitoring and incident response

FUNEL logs system and security events, monitors for anomalies, and maintains an incident response process. If a personal data breach affecting your data occurs, we will notify affected customers without undue delay and provide the information needed to assess and respond.

  • Centralized logging of system, application, and security events.
  • Anomaly detection and alerting on suspicious or unexpected activity.
  • A defined incident response process covering detection, containment, investigation, and recovery.
  • Breach notification to affected customers without undue delay, consistent with our legal obligations.
  • Post-incident review to identify root causes and reduce the chance of recurrence.

Reliability and continuity

FUNEL aims for high availability and maintains regular backups and a disaster recovery plan. These measures are designed to keep the service available and to restore data and operations if a disruption occurs.

  • A high-availability target for the platform.
  • Regular, encrypted backups of critical data.
  • A disaster recovery plan with defined recovery objectives.
  • Redundancy and monitoring designed to detect and recover from infrastructure failures.

Your controls

You stay in control of your data in FUNEL. You can export your data, delete records or your account, opt out where applicable, and request information about access to your workspace. These controls are available from within the product and by contacting us.

  • Export: download the data you have created or imported into your workspace.
  • Delete: remove records or request deletion of your account and associated data.
  • Opt out: manage outreach and processing preferences, and submit objection or opt-out requests for individuals.
  • Audit access: request information about who has access to your workspace and review the role-based permissions you have configured.

To exercise any of these controls or request assistance, contact security@funel.to.

Responsible disclosure

We welcome reports from security researchers who help us keep FUNEL safe. If you believe you have found a vulnerability, please report it to us privately so we can investigate and remediate before any details are made public.

Found a security issue? Report it privately to security@funel.to with enough detail to reproduce it. Please give us reasonable time to investigate and fix the issue before public disclosure, and avoid accessing, modifying, or deleting data that is not yours. We will acknowledge legitimate reports and work with you on a resolution.

We ask researchers to act in good faith, avoid privacy violations and service disruption, and follow this coordinated disclosure approach. We appreciate the work of the security community and will treat your report with care.

Contact us

For any security, privacy, or compliance question, email security@funel.to. This is the right place to request our DPA, our security documentation, the current sub-processor list, or to report a security concern.

This page is effective as of June 17, 2026 and is governed by the laws of the jurisdiction in which FUNEL is established. We may update it as our security program evolves.