Security & Compliance
We take Trust seriously.
We build on the web's most trusted infrastructure and hold ourselves to a high standard of security practice — because our clients' data and reputations depend on it.
Our security posture
Data Encryption
All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). We never store plaintext credentials.
Access Control
Access follows least-privilege. All internal tooling requires MFA. Access is revoked within one business day of offboarding.
Monitoring & Alerting
Errors tracked via Sentry with automated alerting. Cloudflare provides DDoS mitigation and WAF protection at the edge.
Incident Response
We maintain a documented incident response plan with defined severity tiers, notification timelines, and post-incident reviews.
Compliance
We are actively pursuing SOC 2 Type II certification, managed through OneLeet.
SOC 2 Type II
SOC 2 Type II is an independent audit of our security, availability, and confidentiality controls over a minimum 6-month observation period. We are currently in the preparation phase.
What is SOC 2?
SOC 2 (System and Organization Controls 2) is a framework developed by the AICPA that evaluates a service organization's controls across five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. A Type II report covers how those controls operated over an extended period — typically 6–12 months — giving enterprise clients independent assurance that our practices match our claims.
Security practices
Data Security
- All data encrypted at rest (AES-256) and in transit (TLS 1.2+)
- No payment card data stored — payments handled by PCI-compliant processors
- Data classified and handled according to sensitivity level
- Data management and retention policy in development
Infrastructure Security
- Production hosted on Vercel — SOC 2 Type II certified infrastructure
- Cloudflare provides edge DDoS protection and WAF
- All deployments are git-triggered CI/CD — no direct server SSH access
- Secrets managed via Vercel's encrypted environment variable system
Access Control
- Access Management Policy published and signed by all team members
- All systems require MFA; access follows least-privilege
- Password Policy published and enforced across all internal tooling
- Access revoked within one business day of offboarding
Vulnerability Management
- Code scanning on all repositories via GitHub Advanced Security and OneLeet
- Dependencies monitored for known CVEs via automated tooling
- Security patches applied within 24h (critical) or 72h (high)
- Vulnerability Management Policy currently being formalized
- Responsible disclosure accepted at [email protected]
Subprocessors
Third-party services we use to deliver our platform. Each has been evaluated for security posture.
| Vendor | Purpose | Data Processed | Security Info |
|---|---|---|---|
| Anthropic (Claude) | AI assistant for development & internal work | Code, project context, client-related work details | anthropic.com/security |
| Amazon Web Services | Cloud infrastructure | Application data, server logs, infrastructure metadata | aws.amazon.com/security |
| Cal.com | Meeting scheduling | Name, email, selected meeting times | cal.com/security |
| Cloudflare | CDN, WAF, DDoS protection, analytics | IP addresses, request metadata, anonymized analytics events | cloudflare.com/trust-hub |
| GitHub | Source code, CI/CD integration & code scanning | Source code, commit history, code scan results | github.com/security |
| Google Workspace | Email, calendar, and document collaboration | Email communications, calendar events, internal documents | workspace.google.com/security |
| Linear | Project & issue tracking | Project names, task descriptions, client-related work details | linear.app/security |
| MongoDB | Database infrastructure | Application data (no PII stored) | mongodb.com/trust |
| Okta | Identity & access management (SSO, MFA) | Employee identity, authentication events | okta.com/trust |
| OneLeet | SOC 2 compliance management & code scanning | Compliance documentation, control evidence, code scan results | oneleet.com |
| Slack | Team communication & collaboration | Messages, files, client-related communications | slack.com/trust/security |
| Sentry | Error tracking & monitoring | Stack traces, device metadata (no PII by policy) | sentry.io/security |
| Tella | Screen recording & video walkthroughs | Screen recordings, client project content | tella.tv/privacy |
| Toggl | Time tracking | Project names, client names, time entry descriptions | toggl.com/legal/privacy |
| Zoom | Video conferencing & client calls | Meeting recordings, participant names, chat messages | explore.zoom.us/trust |
| Vercel | Production hosting & CI/CD | Application code, environment variables, server logs | vercel.com/security |
Responsible Disclosure
Found a security issue? Please report it responsibly. We take all disclosures seriously and will respond within 3 business days.
[email protected]Security updates
-
Initiated SOC 2 Type II readiness engagement with OneLeet.
-
Published Access Management Policy and Password Policy; signed by all team members.
-
Migrated database infrastructure to MongoDB Atlas with encryption at rest enabled.
-
Enabled automated code scanning across all repositories via GitHub Advanced Security and OneLeet.
-
Deployed Okta SSO and MFA across all internal systems.
-
Migrated all production deployments to Vercel's SOC 2-certified infrastructure.
-
Enabled Sentry error tracking with PII scrubbing rules applied to all capture events.