Security & Compliance Overview

Our platform is hosted on Amazon Web Services (AWS) and leverages Cloudflare to enhance security, performance, and reliability at the edge.

Key AWS Services

• Compute and serverless processing (AWS Lambda)
• Object storage (Amazon S3)
• Messaging and queueing (Amazon SQS)
• Logging and monitoring (AWS CloudWatch, AWS CloudTrail)
• Edge security and content delivery (Cloudflare)

Cloudflare Services

• Web Application Firewall (WAF) protection
• DDoS mitigation
• Global CDN for low-latency delivery
• DNS management and traffic filtering

AWS and Cloudflare both maintain industry-recognized security certifications, including SOC 2 and ISO 27001.

We enforce the principle of least privilege across all systems:

• Role-based access controls (RBAC)
• Multi-factor authentication (MFA) required for all administrative access
• Regular access reviews and revocation processes

Security is integrated throughout our software development lifecycle:

• All code changes undergo peer review via pull requests
• Automated testing and CI/CD pipelines for safe deployments
• No direct changes to production without review and approval
• Dependency and vulnerability monitoring

• Centralized logging for infrastructure and application events
• Real-time monitoring and alerting
• Audit trails for key system activities
• Integration with AWS CloudWatch, CloudTrail, and Cloudflare security event visibility

Cloudflare provides an additional protective layer at the network edge:

• Web Application Firewall (WAF) rules to block malicious traffic
• Rate limiting and bot protection
• DDoS mitigation at the edge
• IP filtering and geo-based access controls

This layered approach helps prevent malicious traffic from reaching origin infrastructure.

• Defined severity levels and escalation paths
• Rapid investigation and containment procedures
• Post-incident reviews and remediation tracking
• Customer Notification: In the event of a confirmed data breach, affected customers are notified without undue delay and no later than 48 hours from discovery, in accordance with our incident response policies

• Automated backups of critical systems
• Secure storage of backup data
• Periodic testing of restoration procedures

We evaluate and monitor third-party vendors that may process customer data:

• Risk-based vendor assessments prior to onboarding
• Use of trusted providers with established security programs
• Key subprocessors include infrastructure and edge providers such as AWS and Cloudflare

We leverage AI technologies to enhance our platform while maintaining strict data controls:

• Customer data is not used to train external AI models without explicit consent
• Data shared with AI providers is minimized and controlled
• Secure API-based integrations with AI services

• Ongoing security awareness training for all personnel
• Secure development practices integrated into engineering workflows
• Internal policies governing data handling and access

We are actively pursuing formal compliance certifications: