Legal's checklist,
already signed.
We hand procurement a folder, not a conversation. Certifications, sub-processors, pen-test reports, DPA — linked, dated, current. Below is the public version. Anything stamped “under NDA” lives one form away.
// certifications
Stamps, signed.
SOC 2
Type II
Under NDA — request via /security
ISO 27001
Certified
PDF →
GDPR
DPA included
PDF →
HIPAA
BAA available
Request via /contact
CCPA
Compliant
PDF →
PCI-DSS
SAQ-A
PDF →
// encryption
Crypto, current.
AES-256
At rest, every database, every backup
TLS 1.3
In transit, HSTS-preloaded
Per-tenant keys
Pro Max — customer-managed KMS
Zero-trust
Mutual TLS between all internal services
// practices
What we do, every week.
Quarterly pen tests
Conducted by Cure53 + Trail of Bits. Reports under NDA on request.
Continuous SCA + SAST
Snyk + Semgrep on every PR. Critical CVE block-merges within 24h.
Bug bounty program
Public scope on HackerOne. $50–$15,000 per finding by severity.
Vendor security review
Every sub-processor reviewed annually. SOC 2 required for any new vendor handling customer data.
Background checks
All employees with production access. Re-checked annually.
Mandatory MFA
Every internal tool. Hardware keys for production access.
Audit logs, year-retention
Every admin action signed + immutable. Available to SOC 2 auditors on request.
Disaster recovery
RPO 5 min, RTO 30 min. Quarterly failover drills with public results.
// incident response
From detect to RCA in five.
Every region runs the same playbook. Pro Max customers get paged directly; Pro+ within 15 minutes of public-status post; Free + Pro within an hour.
- 1
Detect
Synthetic checks every 30s, alarms fire to PagerDuty.
- 2
Triage
On-call engineer responds within 5 minutes (24/7).
- 3
Contain
Region-isolated; failover to secondary region available within 90 seconds.
- 4
Notify
Status page updates within 15 minutes; Pro Max customers paged directly.
- 5
Resolve
Public RCA within 5 business days, credited per SLA.
// sub-processors
Who else touches your data.
We change this list rarely; when we do, you're notified 30 days before any new sub-processor goes live. Subscribe via RSS.
| Provider | Purpose | Region | Data category |
|---|---|---|---|
| Amazon Web Services | Compute · object storage | US, EU, APAC | Email metadata, logs, backups |
| Cloudflare | CDN · WAF · DNS | Global edge | IP, request metadata |
| Stripe | Billing | US (Ireland for EU) | Email, billing address, last 4 |
| PostHog (self-hosted) | Product analytics | EU (Frankfurt) | Pseudonymous user events |
| Sentry (self-hosted) | Error tracking | US (us-east-1) | Stack traces, user IDs |
| Plain.com | Customer support | US, EU | Email, support conversations |
| Twilio SendGrid | Internal team email only | US | Internal staff email |
// responsible disclosure
Found something? Tell us first.
We run a public bug-bounty on HackerOne. Critical findings paid within 5 business days, high within 14. Safe-harbour applies — we won't pursue anything within scope and in good faith.