/ security practices

Security that won't fail your vendor review.

Federal buyers, HUBZone primes, and DoD program offices all ask the same security questions. Here are our answers — documented, current, and under active audit.

Report a vulnerability Trust center

/ control 01

Network-level protection

Cloudflare WAF in front of every endpoint. DDoS protection, bot management, and geo-filtering enabled by default.

/ control 02

Application hardening

CSP headers, HSTS, Subresource Integrity on all static assets. No third-party JavaScript except explicitly-reviewed analytics.

/ control 03

Least-privilege access

Engineering access to production follows break-glass procedures with audit logging. No shared credentials. No AWS/Cloudflare root keys in laptops.

/ control 04

Vulnerability scanning

Dependabot + Snyk on every commit. Monthly penetration tests during private beta. Quarterly tests once GA.

/ control 05

Data minimization

We only collect what we need to operate. No behavioral analytics on customer contract data. No tracking pixels on authenticated pages.

/ control 06

Responsible disclosure

[email protected] — we respond within 48 hours. Safe harbor for good-faith researchers. Credit on our security page for valid reports.

— no lawsuits for reporting bugs