Compliance & Security

Infrastructure Hardening

Production and staging run on Google Cloud Compute Engine instances in multi-zone VPC networks, secured behind an HTTP/2-enabled Load Balancer. All ingress/egress traffic is encrypted with TLS 1.3 certificates provisioned via Let’s Encrypt (Certbot) and auto-renewed. Instances are hardened according to CIS benchmarks and receive automated OS patching.

Data Encryption & Access Controls

We store customer data in a dedicated MongoDB replica set with the WiredTiger encrypted storage engine (AES-256). In-transit data uses TLS 1.3. Access is restricted via GCP IAM roles and service accounts under the principle of least privilege. SSH access requires key-based auth with 90-day rotation.

Identity & Authentication

• MFA Enforcement: Admin consoles protected by multi-factor authentication (TOTP/U2F).
• JWT & Keys: API clients authenticate using JWTs signed with RSA-2048 key pairs.

Monitoring & Incident Response

• Cloud Monitoring & Logging: Aggregates system, audit, and application logs with 90-day retention.
• Sentry: Real-time error tracking and performance alerts.
• Alerting: PagerDuty notifications for P1/P2 incidents with 1-hour acknowledgment SLA.

Email & Payments

• SendGrid: Configured with DKIM, SPF, and DMARC for authenticated email delivery.
• Stripe: Uses Stripe Checkout (PCI DSS Level 1) so no card data is stored on our servers.

Secure Development Lifecycle

• GitHub PRs: Branch protection, mandatory peer reviews, and enforced code coverage.
• CI/CD & Scans: Automated unit/integration tests, ESLint, and Dependabot security updates on every push.
• Dependency Management: NPM audit and GitHub Security Alerts monitored weekly.

Standards & Certifications

We align our controls with ISO 27001:2013 and SOC 2 Type II frameworks. A formal SOC 2 audit is scheduled for Q3 2025.