Your data stays exactly where it should.
Audited infrastructure, structured controls, and a public track record. This isn't a page of marketing adjectives — it's the real map.
What we've implemented, per domain.
TLS 1.3 in transit; AES-256 at rest
SOC 2 CC6.1bcrypt hashing; SSO, TOTP 2FA, WebAuthn
SOC 2 CC6.6AWS + Cloudflare; automatic patching; segmented VPCs
SOC 2 CC7.2Row-level security; least-privilege IAM; just-in-time prod access
SOC 2 CC6.3Point-in-time restore; 30-day retention; quarterly DR drills
SOC 2 A1.2No sale, no ML training on individual data, no ad sharing
GDPR Art. 5Every audit, every finding, public.
Incidents and findings are published with dates, auditor names, and remediation status. Nothing hidden.
SOC 2 Type II renewal
No material exceptions. Report available under NDA.
Penetration test (external)
3 low-severity findings, all remediated within 48h. Report available to enterprise customers.
Dependency audit
2 deprecated packages replaced. Zero known CVEs in production tree as of audit date.
Pen-test (internal architecture)
1 medium finding (header leak), patched in 24h. Full report published.
Hall of Fame
Total paid out in the last 12 months: $9,700 across 4 researchers. Payouts range $200 → $10,000 depending on severity.
Enterprise security docs?
SOC 2 report, pen-test summary, DPA, and custom contracts available for teams on Scale and Enterprise plans.