Security & Trust

Your customer's data,
treated like their money.

Multi-tenant isolation, encrypted everything, every action logged. Built to OWASP from day one — not retrofitted.

bcrypt password hashing

Cost factor 12. Plain-text passwords never touch disk; rainbow tables are mathematically useless. Recommended by OWASP since 2009.

SHA-256 session tokens

Raw tokens never persist server-side. Even if our database is compromised, attackers cannot impersonate users with the stolen data.

HttpOnly + Secure + SameSite=Strict cookies

Session tokens unreachable to JavaScript. Immune to XSS theft. SameSite=Strict eliminates CSRF cross-site abuse entirely.

Tenant isolation at the API layer

Every database query is filtered by tenant_id from the authenticated session. Cross-tenant data leakage is impossible by design — not by policy.

Per-tenant audit log

Every signup, login, edit, delete, AI query stored with IP and user-agent. SOC-2-ready evidence trail. Available for compliance reviews.

Rate-limited login

5 failed attempts per IP per 15-minute window. Brute-force attacks return 429 within seconds. Account-lock + IP throttle in layered defense.

Password complexity enforced

12+ characters, mixed case, number, special character. Blocklist of common passwords. No weak-password attack surface, ever.

Security headers on every response

X-Frame-Options DENY · X-Content-Type-Options nosniff · Referrer-Policy strict-origin-when-cross-origin · CSP-ready.

GDPR + CCPA compliant

Privacy policy + ToS shipped. Data export, deletion, and consent built into workspace settings. International data subject rights honored.

Compliance roadmap

What we have. What's coming.

OWASP Top 10 alignment

All 10 categories addressed from day one. Annual re-review.

SHIPPED

GDPR + CCPA compliance

Privacy policy, data export, consent, deletion all in place.

SHIPPED

SOC 2 Type I

Audit in progress with a Big-4 affiliate. Reports available to Enterprise customers under NDA.

Q4 2026

SOC 2 Type II

Continuous monitoring controls. 12-month observation window starts after Type I.

2027

HIPAA & ISO 27001

Available on enterprise self-host. Roadmap depends on customer demand.

On request
For your security team

We make vendor reviews easy.

Vendor questionnaires

Pre-filled and ready

SIG, CAIQ, and custom questionnaires already prepared. We sign your standard NDA and turn around responses in 48 hours.

Sub-processors

Transparent list

Stripe (payments), Postmark (email), Cloudflare (DNS/CDN), Fly.io (hosting), Anthropic (AI). Updated when changed.

Bug bounty

Responsible disclosure

Found something? We pay for valid reports. Coordinated 90-day disclosure, no legal threats for good-faith research.

Need details?

Talk to our security team.

Vendor questionnaire, architecture review, pen-test results — whatever your team needs to greenlight us.

Request a security review →