Security

Defense in depth: every layer audited, every credential rotated, every action logged.

Built by engineers who've worked breach response.

Every layer audited, every credential rotated, every action logged. The protections we ship are the ones we wished we'd had at our last jobs.

TLS 1.2+ in transit. AES-256 at rest on RDS, S3, and EBS. Customer secrets stored in AWS Secrets Manager with KMS-backed envelope encryption.

Role-based access via PostgreSQL RLS and per-account JWT claims. Super-admin actions audited. MFA available; SSO (SAML/OIDC) on enterprise plans.

All workloads run in private VPC subnets. RDS is not internet-reachable. Egress through NAT gateways. Bastion access via SSH key + IP allowlist.

Continuous dependency scanning via Dependabot. Container images scanned in ECR. Quarterly third-party penetration tests.

24/7 on-call rotation. PagerDuty alerts on golden-signal regressions. Runbook-driven response with post-mortems published within 5 business days.

All code reviewed before merge. CI runs static analysis and dependency audit. Secrets never live in git — only in Secrets Manager.