/ trust center

The answers your CISO will ask, upfront.

Federal buyers don't sign without a security conversation. Here is ours, documented, in plain language, before you ever fill out a vendor questionnaire.

Request security documentation See subprocessors

/ encryption

Encrypted at rest and in transit

TLS 1.3 for everything in flight. AES-256 at rest for all customer data in our Supabase Postgres. Keys managed by Cloudflare and Supabase's HSM-backed KMS.

TLS 1.3
AES-256 at rest
HSM-backed keys

/ isolation

Tenant-isolated data

Row-level security on every table. No query path can cross tenant boundaries, enforced at the database layer, not just the app layer.

Postgres RLS on every table
Per-tenant encryption context

/ compliance posture

Architected for federal compliance work

DeliverOps is built on AWS, Cloudflare, and Supabase infrastructure operated under formal compliance programs. Customer-facing controls are aligned with NIST 800-171 practices for federal-contractor data handling.

NIST 800-171 control alignment
US-region data residency
Encryption-at-rest + TLS 1.3 in transit

/ data residency

US-only data residency

All customer data stored in US-region Supabase and processed by US-region Cloudflare Workers. No data leaves the United States. No offshore support or engineering teams.

/ authentication

SSO, MFA, and audit logging

SAML SSO planned for all paid tiers. Mandatory 2FA for admin accounts. Full audit log of every sensitive action, invoice generation, CDRL submission, access change.

SAML SSO (Google, Microsoft, Okta)
Mandatory MFA for admins
Immutable audit log

/ backups

Point-in-time recovery

Daily backups with 30-day retention. Point-in-time recovery window of 7 days. Backups are encrypted and stored in a separate region from primary data.

/ incident response

Written incident response plan

Documented incident response process. Customer notification within 24 hours of confirmed incident. Postmortems published to our status page.

24-hour notification SLA
Public postmortems

/ vendors

Vetted subprocessor list

We use a small, named set of vendors, Cloudflare, Supabase, Railway, SendGrid, Stripe. Every subprocessor is listed publicly and reviewed annually.

Full list published at /subprocessors
DPAs on file with each vendor

/ disclosure

Responsible disclosure

Found a vulnerability? Email [email protected]. We respond within 48 hours, don't sue researchers acting in good faith, and credit reporters on our security page.

bug bounty coming with general availability