Security is infrastructure, not a feature.
We treat your data the way we treat our own: with paranoia, redundancy, and zero tolerance for shortcuts.
Encryption at Rest
All client data is encrypted at rest using AES-256. Encryption keys are managed through a dedicated key management service with automatic rotation. Database-level encryption is enabled on all production systems.
Encryption in Transit
All data in transit is protected by TLS 1.3. We enforce HTTPS across all endpoints and reject connections using older, insecure protocols. Certificate pinning is implemented for critical internal services.
Access Control
We enforce role-based access control (RBAC) with the principle of least privilege. All internal access to production systems requires MFA. Privileged access is time-limited and fully audited. No standing access to client data.
Penetration Testing
We conduct annual third-party penetration tests and continuous automated vulnerability scanning. Critical findings are remediated within 24 hours; high-severity findings within 7 days. Reports are available to enterprise clients under NDA.
Data Residency
Client data is stored in AWS US-East-1 by default. EU data residency is available for clients with applicable compliance requirements. Data is never replicated outside of agreed regions without explicit written consent.
Vendor Risk
All sub-processors and third-party vendors are reviewed for security posture before engagement. We maintain a current list of sub-processors and notify clients of material changes. Vendors with access to client data must meet our minimum security baseline.
Found a vulnerability?
We take security reports seriously and respond to all credible submissions. If you've identified a vulnerability in our platform or infrastructure, please report it to us privately. We commit to acknowledging reports within 24 hours and providing a status update within 5 business days.
We do not take legal action against researchers who report vulnerabilities in good faith and give us a reasonable opportunity to remediate before public disclosure. We offer recognition and, for critical findings, financial rewards at our discretion.