How we earn the right to handle your repo, your voice, and your audience.
Security and compliance posture, kept current. Every control listed here has a corresponding control in the SOC 2 audit and an artifact in the repo. Nothing on this page is aspirational.
Security overview
Defense in depth across edge, app, data, and operational layers.
Encryption in transit
TLS 1.3 everywhere. HSTS preload at the edge (Cloudflare). Internal service-to-service traffic uses mTLS.
Encryption at rest
Neon-managed encryption at rest for Postgres; Cloudflare R2 server-side encryption for object storage. Sensitive secrets (e.g. platform OAuth tokens) use per-workspace data keys via envelope encryption (dm-vault). Residual AWS backups are encrypted under an AWS KMS key tree.
Tenant isolation
Postgres row-level security on every workspace-scoped table. A CI isolation test seeds two workspaces and runs cross-workspace read attempts; the build fails on any leak.
MFA
TOTP (Clerk) required for owner-role users. Optional for others. SMS deliberately excluded — SOC 2 prefers TOTP / WebAuthn over SS7.
Secrets + dependency scanning
gitleaks pre-commit + on push, Semgrep + CodeQL SAST, weekly cron sweeps. Push protection blocks committed secrets.
Audit logs
Every state change writes a row to audit_log with workspace/user/action/entity context. Retention: 1 year online, archival for the SOC 2 audit window.
Edge protection
Cloudflare WAF + rate limits in front of the gateway. Security response headers (CSP, HSTS, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) enforced by a Cloudflare Worker.
Backup + recovery
Neon continuous backup with point-in-time recovery to any moment in the last 30 days, plus residual AWS Backup. Restore drills run quarterly.
Compliance status
Current state, not roadmap. We update this when posture changes, not on a marketing schedule.
| Framework | Status | Detail |
|---|---|---|
| SOC 2 Type II | Planned | Audit not yet commenced; the observation window is targeted to open Month 6. Controls are mapped to CC1-CC9, A1, and C1, and continuous-evidence collection wires up once the first enterprise customer signs. No report exists yet. |
| GDPR | Compliant | Article 15 export + Article 17 erasure live (POST /v1/account/export, POST /v1/account/delete). DPA template + auto-fill. EU sub-processor transfers under SCCs 2021/914. |
| CCPA / CPRA | Compliant | Same data access + deletion endpoints satisfy California requests. No sale of personal information. |
| ISO 27001 | Planned | Not in v1 scope. Targeting Year 2 once SOC 2 is established. |
| HIPAA | Out of scope | SuperPost is not designed to process Protected Health Information. Do not upload PHI. |
External validation
Penetration tests
Annual third-party pen test by Cure53. First engagement scheduled post-launch. Public summaries (with remediation status) land here after each engagement.
No engagements completed yet.
Vulnerability disclosure
Open invitation to security researchers. 24h ack, 7d triage, per-severity remediation SLAs. Policy →
A paid bug bounty program will launch when volume justifies it.
Uptime + incidents
Real-time service status + incident history at status.superpost.io.
Privacy + legal
Security review questions?
Email security@superpost.io and we'll get back within one business day. We have a security review questionnaire on file with answers to the standard SIG / VSAQ / CAIQ-Lite asks.