Coming soon Deadlift is awaiting AWS Marketplace approval. Join the waitlist →
Deadlift
Join the waitlist
Security

Built for the security review.

Deadlift is sold to engineering teams in regulated environments. The product is structured so that the security questionnaire is short: nothing leaves your AWS account.

Send us your questionnaire Read the answers
external internet YOUR AWS ACCOUNT CloudFront AppSync Lambda DynamoDB Cognito SQS / SNS no egress
every byte of customer data lives inside this boundary - there is no path out

Your compliance, not ours.

Because Deadlift runs entirely in your AWS account, our compliance story is essentially "you keep your existing one". We add no new data processor to your scope.

  • SOC 2

    Inherited from your AWS account

  • ISO 27001

    Inherited from your AWS account

  • HIPAA

    Eligible if your account is configured

  • GDPR

    Deploy in any region you choose

Architectural principles

The decisions we made up front so the security story is short.

Data residency by design

Deadlift is a CloudFormation template. The entire stack deploys into your own AWS account. There is no SaaS backend to send data to.

Zero data egress

Message bodies, receipt handles, and audit log entries live exclusively in DynamoDB tables in your account. No data plane on our side.

Least-privilege IAM

Every Lambda has its own execution role scoped to the minimum required permissions. No shared roles, no wildcards.

Non-destructive browsing

Deadlift never consumes a message unless you explicitly tell it to. Browsing extends visibility timeout - it doesn't delete.

Cognito authentication

User authentication via Cognito User Pool deployed in your account. MFA on every tier, SAML / OIDC SSO on Enterprise.

Encryption at rest and in transit

DynamoDB AWS-managed encryption. CloudFront HTTPS redirect. AppSync Cognito-issued JWTs over TLS for every request.

Answering the security questionnaire.

The questions a security reviewer actually asks. Click any question to read the full answer.

Where is customer data stored?
In DynamoDB tables provisioned inside the customer's own AWS account at deploy time. Deadlift has no shared backend or central database. There is no copy of customer data on infrastructure we control.
Does Deadlift have access to customer message bodies?
No. The dashboard, AppSync API, Lambda functions, and DynamoDB tables all run inside the customer account. We have no read path in. Customer message bodies are visible only to the operators authenticated against the customer's own Cognito User Pool.
What outbound network traffic does Deadlift generate?
Two destinations only: a customer-configured webhook URL for alarm notifications (optional, off by default), and AWS Marketplace for billing metering. Message bodies are never sent to either - the webhook payload is metadata only.
How are operator actions audited?
Every replay, edit, and purge writes an audit record to a DynamoDB table in the customer account. Records include the Cognito identity of the operator, action type, target queue, message IDs, and timestamp. Retention is tier-gated (7 / 30 / 90 / 365 days).
What IAM permissions does Deadlift hold?
Each Lambda has its own execution role scoped to the minimum permissions for its job. The replay Lambda only holds ReceiveMessage / SendMessage / DeleteMessage on queues in the account. The list Lambda only holds ListQueues / GetQueueAttributes. There is no shared role and no wildcard beyond what's strictly required.
How are credentials managed?
Deadlift never asks for or stores credentials. Operators authenticate against the customer's Cognito User Pool. The Lambda functions assume their own IAM execution roles via the standard AWS Lambda runtime - no long-lived keys.
Is data encrypted at rest and in transit?
Yes. DynamoDB tables use AWS-managed encryption at rest. CloudFront enforces HTTPS via redirect-to-HTTPS viewer protocol policy. AppSync uses Cognito-issued JWTs over TLS for every authenticated request.
What happens if Deadlift the company shuts down?
The CloudFormation stack continues to run inside the customer's AWS account. There is no licence-server check or remote feature flag that the product depends on. Customers retain everything that's already deployed; only future updates would stop arriving.
Can we delete all Deadlift data?
Yes - delete the CloudFormation stack and every DynamoDB table, Lambda, Cognito User Pool, and S3 bucket goes with it. There is no shadow copy on our infrastructure because there is no infrastructure on our side.

Have a question we haven't answered?

Send your security questionnaire over and we'll respond within two business days.

hello@deadlifthq.com