Trust · Security
Security as a floor, not a feature.
These are the practices applied to every system we build and operate - stated as practices, not badges. We claim no certification we do not hold; we describe what we actually do, and you are welcome to test it in due diligence.
Identity
- Authentication. Modern standards (OAuth 2.0 / OpenID Connect patterns), hashed credentials with current algorithms, MFA support where the product warrants it, and session handling that expires like it should.
- Authorization. Role-based access enforced inside every service - never only at the gateway or the UI. Every privileged action is checked at the point of execution and written to an audit log.
Data
- Encryption. TLS for everything in transit; encryption at rest on managed data services; no plaintext secrets or credentials, anywhere, ever.
- Secrets management. Managed vaults (cloud-native secret stores), rotation, and least-privilege access. Secrets never enter code, config files in repos, or logs.
- Backups & disaster recovery. Automated backups with retention appropriate to the domain - and restores are tested, because an untested backup is a hope, not a plan. Recovery steps are documented and rehearsed.
- Audit logs. Who did what, when, to which record - append-only, queryable, and included in handoff.
Application & API
- OWASP-aligned engineering. The OWASP Top 10 is our review checklist: injection, broken auth, XSS, insecure deserialisation and friends are tested for, not assumed away.
- API security. Input validation at every boundary, typed schemas (FastAPI’s validation is one reason it is in the stack), authenticated endpoints by default, and idempotency where retries could double-execute.
- Rate limiting. At the gateway (Nginx) and per-identity where abuse is plausible - protecting both availability and your bill.
Cloud & platform
Least-privilege IAM roles, private networking between services, security headers at the edge (the same set this website ships with - HSTS, CSP, frame denial), dependency scanning in CI, and infrastructure declared in Terraform so the security posture is reviewable as code. The layered model is drawn on the architecture page.
Honest limits
We do not currently hold formal certifications (SOC 2, ISO 27001). If your procurement requires them, say so on the strategy call - we will tell you plainly what we can and cannot satisfy, and we build systems so that a future audit is a documentation exercise, not a rebuild.
Security due diligence?
Send your questionnaire. Engineers answer it - accurately - within a few days, not weeks.
Related: Enterprise readiness · DevOps · Architecture · Process