Security & Compliance

We take Trust seriously

We build on the web's most trusted infrastructure and hold ourselves to a high standard of security practice — because our clients' data and reputations depend on it.

Atomic Glue security knight moose mascot

Our security posture

Data Encryption

All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). We never store plaintext credentials.

Access Control

Access follows least-privilege. All internal tooling requires MFA. Access is revoked within one business day of offboarding.

Monitoring & Alerting

Errors tracked via Sentry with automated alerting. Cloudflare provides DDoS mitigation and WAF protection at the edge.

Incident Response

We maintain a documented incident response plan with defined severity tiers, notification timelines, and post-incident reviews.

Security practices

Data Security

All data encrypted at rest (AES-256) and in transit (TLS 1.2+)
No payment card data stored — payments handled by PCI-compliant processors
Data classified and handled according to sensitivity level
Data management and retention policy in development

Infrastructure Security

Production hosted on Vercel — SOC 2 Type II certified infrastructure
Cloudflare provides edge DDoS protection and WAF
All deployments are git-triggered CI/CD — no direct server SSH access
Secrets managed via Vercel's encrypted environment variable system

Access Control

Access Management Policy published and signed by all team members
All systems require MFA; access follows least-privilege
Password Policy published and enforced across all internal tooling
Access revoked within one business day of offboarding

Vulnerability Management

Code scanning on all repositories via GitHub Advanced Security and OneLeet
Dependencies monitored for known CVEs via automated tooling
Security patches applied within 24h (critical) or 72h (high)
Vulnerability Management Policy currently being formalized
Responsible disclosure accepted at [email protected]

Compliance

We are actively pursuing SOC 2 Type II certification, managed through OneLeet.

What is SOC 2?

SOC 2 (System and Organization Controls 2) is a framework developed by the AICPA that evaluates a service organization's controls across five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. A Type II report covers how those controls operated over an extended period — typically 6–12 months — giving enterprise clients independent assurance that our practices match our claims.

In Progress

SOC 2 Type II

SOC 2 Type II is an independent audit of our security, availability, and confidentiality controls over a minimum 6-month observation period. We are currently in the preparation phase.

Preparation

Audit Window

Report Issued

Subprocessors

Third-party services we use to deliver our platform. Each has been evaluated for security posture.

Vendor	Purpose	Data Processed	Security Info
Anthropic (Claude)	AI assistant for development & internal work	Code, project context, client-related work details	anthropic.com/security
Amazon Web Services	Cloud infrastructure	Application data, server logs, infrastructure metadata	aws.amazon.com/security
Cal.com	Meeting scheduling	Name, email, selected meeting times	cal.com/security
Cloudflare	CDN, WAF, DDoS protection, analytics	IP addresses, request metadata, anonymized analytics events	cloudflare.com/trust-hub
Doppler	Secrets & environment variable management	Environment variable names and values, API keys, secrets	doppler.com/security
GitHub	Source code, CI/CD integration & code scanning	Source code, commit history, code scan results	github.com/security
Google Workspace	Email, calendar, and document collaboration	Email communications, calendar events, internal documents	workspace.google.com/security
Linear	Project & issue tracking	Project names, task descriptions, client-related work details	linear.app/security
MongoDB	Database infrastructure	Application data (no PII stored)	mongodb.com/trust
Okta	Identity & access management (SSO, MFA)	Employee identity, authentication events	okta.com/trust
OneLeet	SOC 2 compliance management & code scanning	Compliance documentation, control evidence, code scan results	oneleet.com
Slack	Team communication & collaboration	Messages, files, client-related communications	slack.com/trust/security
Sentry	Error tracking & monitoring	Stack traces, device metadata (no PII by policy)	sentry.io/security
Tella	Screen recording & video walkthroughs	Screen recordings, client project content	tella.tv/privacy
Toggl	Time tracking	Project names, client names, time entry descriptions	toggl.com/legal/privacy
Zoom	Video conferencing & client calls	Meeting recordings, participant names, chat messages	explore.zoom.us/trust
Vercel	Production hosting & CI/CD	Application code, environment variables, server logs	vercel.com/security

Responsible Disclosure

Found a security issue? Please report it responsibly.

We take all disclosures seriously and will respond within 3 business days.

[email protected]

Security updates

May 2026

Deployed Doppler for secrets management across all projects.
Feb 2026

Initiated SOC 2 Type II readiness engagement with OneLeet.
Dec 2025

Published Access Management Policy and Password Policy; signed by all team members.
Nov 2025

Migrated database infrastructure to MongoDB Atlas with encryption at rest enabled.
Oct 2025

Enabled automated code scanning across all repositories via GitHub Advanced Security and OneLeet.
Aug 2025

Deployed Okta SSO and MFA across all internal systems.
Jan 2025

Migrated all production deployments to Vercel's SOC 2-certified infrastructure.
Jan 2025

Enabled Sentry error tracking with PII scrubbing rules applied to all capture events.

# Trust & Security — Atomic Glue

We build on the web’s most trusted infrastructure and hold ourselves to a high standard of security practice — because our clients’ data and reputations depend on it.

## Security posture

Data Encryption — All data encrypted at rest (AES-256) and in transit (TLS 1.2+). We never store plaintext credentials.
Access Control — Access follows least-privilege. All internal tooling requires MFA. Access revoked within one business day of offboarding.
Monitoring & Alerting — Errors tracked via Sentry with automated alerting. Cloudflare provides DDoS mitigation and WAF protection at the edge.
Incident Response — Documented incident response plan with defined severity tiers, notification timelines, and post-incident reviews.

## Security practices

Data Security — AES-256 encryption at rest and TLS 1.2+ in transit. No payment card data stored. Data classified by sensitivity.
Infrastructure Security — Hosted on Vercel (SOC 2 Type II certified). Cloudflare DDoS/WAF. Git-triggered CI/CD — no direct SSH. Secrets via Vercel encrypted environment variables.
Access Control — MFA required on all systems. Least-privilege access. Access revoked within one business day of offboarding.
Vulnerability Management — Code scanning via GitHub Advanced Security and OneLeet. Critical patches within 24h, high within 72h. Responsible disclosure: [email protected].

## Compliance

SOC 2 Type II — Status: In Progress (Preparation phase). Managed through OneLeet. SOC 2 Type II is an independent audit of security, availability, and confidentiality controls over a minimum 6-month observation period.

## Subprocessors

Anthropic (Claude) — AI assistant for development & internal work
Amazon Web Services — Cloud infrastructure
Cal.com — Meeting scheduling
Cloudflare — CDN, WAF, DDoS protection, analytics
Doppler — Secrets & environment variable management
GitHub — Source code, CI/CD, code scanning
Google Workspace — Email, calendar, documents
Linear — Project & issue tracking
MongoDB — Database infrastructure
Okta — Identity & access management (SSO, MFA)
OneLeet — SOC 2 compliance management & code scanning
Slack — Team communication & collaboration
Sentry — Error tracking & monitoring
Tella — Screen recording & video walkthroughs
Toggl — Time tracking
Vercel — Production hosting & CI/CD
Zoom — Video conferencing & client calls

## Responsible Disclosure

Found a security issue? Report it responsibly. We respond within 3 business days.

[[email protected]](mailto:[email protected])