Security

We host on tier-1 cloud providers (AWS, GCP, Vercel, Cloudflare) with SOC 2 / ISO 27001 attestations. Production environments are isolated from development. Secrets live in managed vaults — never in repositories. All network traffic is TLS-encrypted in transit and storage is encrypted at rest with provider-managed keys (with customer-managed key options on request).

MFA is mandatory for administrative accounts and any system that holds customer data. Access is role-based and reviewed quarterly. Production access requires written approval and is logged. Offboarded staff lose access within 24 hours.

All inputs are validated server-side using strict schemas. Authentication, authorization and audit logging are designed in. Dependencies are scanned weekly; critical CVEs are patched on an SLA. Static analysis runs in CI. Web apps ship with CSP, HSTS, X-Frame, Referrer-Policy and Permissions-Policy headers.

Production systems have logging, metrics and tracing. We use Sentry for error reporting and a managed log sink for structured logs. On-call rotations exist for client engagements that need them. Incidents trigger a documented playbook: contain → eradicate → recover → review. We commit to notifying affected clients within 72 hours of a confirmed material incident.

Found something? We appreciate responsible disclosure. Email [email protected] with reproduction details. We respond within 1 business day and aim to resolve high-severity issues within 7 days. We don't sue researchers acting in good faith; we'll credit you publicly if you'd like.