Security

Built for workflows that carry real accountability.

Blocks is designed for teams where security isn't an afterthought — compliance leads, legal operations, and engineering teams with external audit requirements.

Talk to our team Compliance solutions
Secure workflow operations environment

Security controls

The technical and process controls Blocks is built on.

Encryption in transit and at rest

All data transmitted over TLS 1.2+. Workflow run data and audit logs encrypted at rest using AES-256. API keys stored with one-way hashing — never readable after creation.

Immutable audit log

Every workflow step, approval decision, and routing event is written to the audit log and cannot be modified or deleted after writing. Full chain of custody for every run.

Role-based access control

Granular RBAC: admins manage workflows and integrations, operators trigger and monitor runs, approvers act on assigned steps only. No over-permissioned accounts.

SSO / SAML (Enterprise)

Enterprise plan includes SAML 2.0 SSO support. Enforce your organization's identity policies, require MFA, and provision users through your IdP — Okta, Azure AD, and standard SAML providers supported.

Data residency (Enterprise)

Custom data residency options available on Enterprise plan. Choose your preferred AWS region for workflow run data and audit log storage. Discuss requirements with our team.

SLA enforcement

Configurable SLA timers on every approval step. Automatic escalation before deadline with full context. All escalation events logged — auditors can verify SLA compliance after the fact.

Compliance Design

Designed with SOC 2 controls in mind.

Blocks is not yet SOC 2 certified. The product was designed from day one with the logical access, audit trail, and change management controls that SOC 2 Type II assessments typically examine. Enterprise customers can request our security design documentation.

Request security documentation

Data handling

Your data stays yours.

Blocks stores workflow configuration and run logs. We do not train AI models on your workflow data. LLM calls use your own API keys — Blocks acts as an orchestration layer, not a model reseller, and does not retain prompt contents beyond the current run unless you enable audit log storage explicitly.

Integration credentials (OAuth tokens, API keys) are stored encrypted and scoped to the minimum permissions required for the configured workflow steps.

Security questions? Talk to us directly.

Security questions are handled directly by the engineering and product team — not routed through a support queue.

Contact us Start free trial