Security practices
We take a defense-in-depth approach. Our practices evolve; the list below reflects current state.
- Encryption in transit
- TLS 1.3 across all customer-facing traffic. HTTP is redirected to HTTPS; HSTS is enabled.
- Encryption at rest
- Database volumes and object storage are encrypted at the disk layer.
- Role-based access control
- Staff actions are gated by least-privilege roles; impersonation is logged separately with reason.
- Audit logging
- Every mutating staff action writes to an append-only audit log retained for 24 months.
- MFA on staff accounts
- Multi-factor authentication is mandatory for all staff roles.
- Secrets management
- Production secrets live in a managed secrets store; access is audited; rotation runbooks exist.
- Vendor review
- We review subprocessors annually for security and PDPL alignment. See /trust/subprocessors.
- Penetration testing
- We commission third-party penetration testing on an annual cadence; remediation is tracked.
- Responsible disclosure
- We honor good-faith research; we do not pursue researchers who follow our policy and stay within scope.
Found a vulnerability? Email us: We'll share contact details soon.