Security
Note
SOC 2 Type II observation window started 2026-04-20; target report ~2026-10-20.
Posture
- SOC 2 Type II in observation (start: 2026-04-20; target report: ~2026-10-20)
- All production traffic TLS 1.3+
- Data at rest: AES-256 (Supabase Postgres, AWS S3)
- Secrets: Railway vault + AWS KMS; rotated on incident + annually
- Penetration test: annual (next: 2026-10)
- Vanta-monitored: Supabase, Fly.io, AWS, GitHub, Slack
Sub-processors
| Sub-processor | Purpose | Data | Region |
|---|---|---|---|
| Supabase | Auth, Postgres | PII, audit_event, team_member | us-east-1 |
| Railway | Redis, application hosting | transient queue state | us-west2 / us-east-1 |
| Fly.io | Managed workers (Enterprise) | customer compute | multi-region |
| Stripe | Billing | customer_id, invoice | US |
| Anthropic | Brand-tone LLM judge | outbound payload samples | US |
| Slack | Approval callbacks | approval metadata | US |
| AWS | S3 staging (audit export) | Parquet exports | us-east-1 |
| Sentry | Error tracking | stack traces, user_id | US |
Data Handling
- Encryption at rest: AES-256-GCM for customer secrets (webhook, callback, mTLS CA) and audit-export credentials
- Encryption in transit: TLS 1.3+
- Retention: plan-based — Free 7d · Pro 30d · Team 90d · Enterprise 365d+
- PII redaction: applied before worker receives payload (see Guardrail Engine)
- Audit logs: partitioned by month, immutable, 1-year retention minimum
Incident Response
We commit to disclosing confirmed breaches affecting customer data within 24 hours of confirmation.
To report a vulnerability or security incident:
- Email: [email protected]
- We acknowledge reports within 24 hours
- Critical issues are remediated within 7 days
Policies
The following policies govern our security program: