A Fortress for Your Foundation

Security is integrated into all phases, from design to deployment.

• Threat modeling exercises for all new major features.
• Mandatory peer review for all code changes to production.
• Engineers trained on secure coding guidelines (e.g., OWASP Top 10).

Automated SAST in CI/CD. DAST implementation is in progress.

• SAST scans run on every commit to identify vulnerabilities early.
• DAST scans are planned for the staging environment before major releases.

Third-party libraries are continuously scanned for vulnerabilities.

• Automated alerts are generated for new critical vulnerabilities.
• A formal process is in place for patching critical dependencies.

Annual penetration tests are planned, starting pre-GA.

• We will engage a CREST-certified third-party testing firm.
• The scope will include the application, network, and cloud infrastructure.

User access is strictly scoped based on predefined roles.

• Access roles and permissions are reviewed on a quarterly basis.
• Users must request access to new systems through a formal approval process.

All data communication is encrypted with TLS 1.2 or higher.

• TLS 1.3 is supported and preferred for all connections.
• We enforce the use of strong cipher suites and disable outdated protocols.

Customer data is encrypted using AES-256 on all storage systems.

• Encryption keys are managed using AWS Key Management Service (KMS).
• All database backups and snapshots are also encrypted.

Automated processes for data deletion (Right to be Forgotten) and export.

• GDPR deletion requests are fulfilled within 30 days via an automated process.
• Data exports are provided in a machine-readable JSON format.

We build on the world-class, compliant infrastructure of Cloudflare, inheriting their robust physical, network, and operational security controls.

• Our provider, Cloudflare, maintains a comprehensive portfolio of attestations, including SOC 2 Type II, ISO 27001, and PCI-DSS Level 1.
• Our internal due diligence program includes a formal review of the SOC 2 report and other certifications from our provider to ensure their controls meet our requirements.
• We operate under a clear Shared Responsibility Model, where our provider secures the underlying infrastructure, and we are responsible for securing the application and data layers we build on top.
• We continuously monitor the security status of our provider and subscribe to their security advisories to proactively manage inherited risk.

Infrastructure configurations are based on CIS benchmarks.

• Our infrastructure-as-code (IaC) is scanned for misconfigurations.
• We follow hardening guidelines from the Center for Internet Security (CIS).

Protected by industry-leading DDoS mitigation and Web Application Firewall.

• We use Cloudflare for Layer 3, 4, and 7 DDoS protection.
• Our WAF is configured with the OWASP Core Rule Set to block common attacks.

All system and application logs are centralized for security monitoring.

• Logs are aggregated into a central SIEM for analysis and alerting.
• Alerts are configured for anomalous or suspicious activities.

Employee access to systems is strictly limited to their job requirements.

• Access to production systems is restricted to named, authorized personnel.
• Employee access levels are reviewed quarterly and upon role changes.

Multi-Factor Authentication is mandatory for all internal staff access.

• MFA is enforced on our cloud providers, code repositories, and email.
• We require the use of phishing-resistant authenticators (U2F/WebAuthn).

Mandatory security awareness training for all employees upon hiring and annually.

• Training covers data privacy, incident reporting, and phishing awareness.
• We conduct internal phishing simulations on a quarterly basis.

A formal incident response plan is documented and regularly tested.

• The plan includes procedures for detection, containment, and notification.
• We conduct annual tabletop exercises to test the effectiveness of our plan.