Encryption
- In transit: TLS 1.3, HSTS preload, certificate pinning on the API host.
- At rest: AES-256, Cloudflare-managed keys.
- Per-customer keys: Optional on Team tier — record PDFs encrypted with a key only your account can derive.
Authentication
- Clerk hosted sign-in for the dashboard: email passcode, password, OAuth (Google, Microsoft), or passkey.
- OAuth 2.1 + PKCE + Resource Indicators (RFC 8707) for MCP machine clients.
- API keys are scoped (read-only, read-write, batch-only) and rotatable from the dashboard.
Penetration testing
Annual third-party penetration test. Last test: 2025-09 (pre-launch); next scheduled 2026-09. Executive summary available on request under NDA.
Certifications — honest status
- SOC 2: Not yet. Will pursue when 5+ enterprise customers require it (we expect this in 2027).
- ISO 27001: Not yet. Same trigger as SOC 2.
- PCI-DSS: Out of scope — Stripe is merchant of record and holds card data.
- IRAP / Australian Government: Not yet. Talk to us if you need this.
We will not display a fake "SOC 2 in progress" badge before it's real. When something changes, it appears in /changelog.
Disclosure policy
Report security issues to [email protected] (PGP fingerprint at /.well-known/security.txt). We acknowledge within 24 hours, fix critical issues within 7 days, disclose publicly within 30 days of fix.
Bug bounty
No formal program yet. We pay A$50–A$2,500 cash for valid security reports depending on severity. Email us; we negotiate per report.
Incidents
None publicly reported. If we have one, it gets a status-page entry, an email to affected customers within 72 hours, and a post-mortem at /blog.