/ trust center

The answers your CISO will ask — upfront.

Federal buyers don't sign without a security conversation. Here is ours, documented, in plain language, before you ever fill out a vendor questionnaire.

Request SOC 2 report See subprocessors

/ encryption

Encrypted at rest and in transit

TLS 1.3 for everything in flight. AES-256 at rest for all customer data in our Supabase Postgres. Keys managed by Cloudflare and Supabase's HSM-backed KMS.

TLS 1.3
AES-256 at rest
HSM-backed keys

/ isolation

Tenant-isolated data

Row-level security on every table. No query path can cross tenant boundaries — enforced at the database layer, not just the app layer.

Postgres RLS on every table
Per-tenant encryption context

/ compliance

On the path to SOC 2 + CMMC

SOC 2 Type II targeted before general availability. CMMC Level 2 alignment through our DoD-facing contracts. FedRAMP Moderate on the long-term roadmap.

SOC 2 Type II — in progress
CMMC Level 2 — aligned
FedRAMP Moderate — planned

/ data residency

US-only data residency

All customer data stored in US-region Supabase and processed by US-region Cloudflare Workers. No data leaves the United States. No offshore support or engineering teams.

/ authentication

SSO, MFA, and audit logging

SAML SSO planned for all paid tiers. Mandatory 2FA for admin accounts. Full audit log of every sensitive action — invoice generation, CDRL submission, access change.

SAML SSO (Google, Microsoft, Okta)
Mandatory MFA for admins
Immutable audit log

/ backups

Point-in-time recovery

Daily backups with 30-day retention. Point-in-time recovery window of 7 days. Backups are encrypted and stored in a separate region from primary data.

/ incident response

Written incident response plan

Documented incident response process. Customer notification within 24 hours of confirmed incident. Postmortems published to our status page.

24-hour notification SLA
Public postmortems

/ vendors

Vetted subprocessor list

We use a small, named set of vendors — Cloudflare, Supabase, Railway, SendGrid, Stripe. Every subprocessor is listed publicly and reviewed annually.

Full list published at /subprocessors
DPAs on file with each vendor

/ disclosure

Responsible disclosure

Found a vulnerability? Email [email protected]. We respond within 48 hours, don't sue researchers acting in good faith, and credit reporters on our security page.

— bug bounty coming with general availability