Security roadmap
How we grow our safeguards.
This outline mirrors the internal roadmap at docs/security_compliance_roadmap.md. Use it when customers or stakeholders ask, “What’s next?”
Current foundation
- Cloudflare TLS 1.2+, HSTS, WAF, and rate limiting on every portal session.
- Postgres Row-Level Security plus per-customer object storage for uploads and reports.
- Secrets stored via managed services (Vercel/Doppler) with no plaintext in repos.
- Structured logging and signed download links (72h TTL) for traceability.
- Privacy policy, service agreement clauses, and draft DPA template ready for customers.
Near-term (best-practice package)
- Publish internal security policies (Acceptable Use, Access Control, Incident Response).
- Maintain asset inventory + risk register across portal, workers, storage, and dependencies.
- Quarterly access reviews for portal admin and infrastructure accounts.
- Finalize Data Subject Request workflow (intake form, SLA, evidence log).
- Document vendor due diligence for core providers (Vercel, AWS/S3, Supabase/Neon).
SOC 2 / ISO preparation
- Run gap analysis with auditor/tooling to map controls to SOC 2 Security + Confidentiality.
- Assign ownership for each control: logging, change management, vulnerability handling.
- Automate evidence collection through CI/CD, infra, and ticketing systems.
- Roll out annual security awareness training for all team members.
- Define ISMS scope and Statement of Applicability for ISO 27001:2022.
GDPR operationalization
- Maintain a Record of Processing Activities (RoPA) for all personal data flows.
- Provide customer-ready DPA covering processing roles, sub-processors, and security measures.
- Automate retention + deletion scripts for reports, invoices, and uploads.
- Ensure incident response playbooks cover GDPR timelines (72h notification).
Need something specific?