/ security practices

Security that won’t fail your vendor review.

Federal buyers, prime contractors, and DoD program offices all ask the same security questions. Here are our answers, documented, current, and under active audit.

Report a vulnerability Trust center

/ control 01

Network-level protection

Cloudflare WAF in front of every endpoint. DDoS protection, bot management, and geo-filtering enabled by default.

/ control 02

Application hardening

CSP headers, HSTS, Subresource Integrity on all static assets. No third-party JavaScript except explicitly-reviewed analytics.

/ control 03

Least-privilege access

Engineering access to production follows break-glass procedures with audit logging. No shared credentials. No AWS/Cloudflare root keys in laptops.

/ control 04

Vulnerability scanning

Dependabot + Snyk on every commit. Monthly penetration tests during private beta. Quarterly tests once GA.

/ control 05

Data minimization

We only collect what we need to operate. No behavioral analytics on customer contract data. No tracking pixels on authenticated pages.

/ control 06

Responsible disclosure

[email protected], we respond within 48 hours. Safe harbor for good-faith researchers. Credit on our security page for valid reports.

no lawsuits for reporting bugs