Security Practices

• Data in transit: All traffic to and from our services uses TLS 1.2 or higher. Older cipher suites are disabled.
• Data at rest: Database storage is encrypted at rest via our hosting provider (Supabase / AWS). Encryption keys are managed by the provider's KMS.
• Secrets management: Credentials, API keys, and secrets are stored in environment variable systems with restricted access. They are never committed to source control.

• Principle of least privilege: Staff and systems have only the access required for their function. Permissions are reviewed periodically.
• Multi-factor authentication: MFA is required for all administrative accounts across cloud providers, code repositories, and service infrastructure.
• Role-based access: Access to production systems and data is segregated by role. No shared credentials for production access.
• Offboarding: Access is revoked promptly on staff offboarding.

• Audit logging: Access to production systems, data modifications, and authentication events are logged.
• Infrastructure monitoring: We monitor availability, error rates, and performance through our hosting provider dashboards and alerting.
• Security alerting: Anomalous authentication patterns (repeated failures, access from unexpected locations) trigger alerts for review.
• Log retention: Security-relevant logs are retained for a minimum of 90 days.

• Hosting: Our services are hosted on Vercel (edge compute) and Supabase (database). Both maintain SOC 2 Type II certifications independently.
• CDN and DDoS protection: Cloudflare provides CDN, DDoS mitigation, and Web Application Firewall capabilities.
• Dependency management: Automated dependency vulnerability scanning via GitHub Dependabot. Critical vulnerabilities are addressed within defined SLAs.
• Network exposure: Database and admin interfaces are not publicly exposed. Access to production infrastructure requires authenticated, role-appropriate access paths.

See our dedicated Secure SDLC page for a full description of our development security practices.

• Code review required for all production changes
• Security considerations included in technical design reviews
• Automated SAST and dependency scanning in CI/CD pipeline
• Secrets scanning on all commits

• Detection: Monitoring and alerting enables rapid detection of security events.
• Response: We maintain an incident response process with defined escalation paths and communication templates.
• Notification: Affected parties are notified of data incidents within timeframes required by applicable law (including GDPR's 72-hour supervisory authority notification requirement).
• Post-incident review: Significant incidents are followed by a post-mortem to identify root cause and prevent recurrence.

• Third-party providers are evaluated for security posture before adoption
• We prefer providers with SOC 2 Type II or equivalent independent attestation
• AI model providers (Anthropic, OpenAI) are evaluated specifically for responsible AI practices and data handling commitments
• Our current subprocessors are listed at /legal/subprocessors