Security roadmap
How we grow our safeguards.
A customer-friendly view of how we keep raising the security bar—focused on practical safeguards and transparency without over-promising timelines.
Roadmap items are directional and may change as we learn.
Current foundation
- Cloudflare TLS 1.2+, HSTS, WAF, and rate limiting on every portal session.
- Postgres Row-Level Security plus per-customer object storage for uploads and reports.
- Secrets stored via managed services (Vercel/Doppler) with no plaintext in repos.
- Structured logging and signed download links (72h TTL) for traceability.
- Privacy policy, service agreement clauses, and draft DPA template ready for customers.
Near-term (best-practice package)
- Publish internal security policies (Acceptable Use, Access Control, Incident Response).
- Maintain asset inventory + risk register across portal, workers, storage, and dependencies.
- Quarterly access reviews for portal admin and infrastructure accounts.
- Finalize Data Subject Request workflow (intake form, SLA, evidence log).
- Document vendor due diligence for core providers (Vercel, AWS/S3, Supabase/Neon).
Audit readiness (SOC 2 / ISO alignment)
- Assess control gaps with trusted tooling or advisors to align with SOC 2 security practices.
- Assign ownership for each control: logging, change management, vulnerability handling.
- Automate evidence collection through CI/CD, infra, and ticketing systems.
- Roll out annual security awareness training for all team members.
- Define ISMS scope and Statement of Applicability for ISO 27001:2022.
GDPR operationalization
- Maintain a Record of Processing Activities (RoPA) for all personal data flows.
- Provide customer-ready DPA covering processing roles, sub-processors, and security measures.
- Automate retention + deletion scripts for reports, invoices, and uploads.
- Ensure incident response playbooks cover GDPR timelines (72h notification).
Need something specific?