Skip to content
SOTODEV

security

Security posture

Admin paths intercept at the edge before any application code runs.

s.01request flow

Request flow

  1. Browser
  2. Vercel Edge CDN (SOC 2 Type II)
  3. Edge Auth (HTTP Basic)
  4. React application
  5. API routes
  6. Supabase (SOC 2 Type II, RLS)

s.02posture

Controls

Authentication & access

  • Edge authentication for admin surfaces via HTTP Basic Auth at the Vercel edge.
  • Admin surfaces are gated before any content is served.
  • Principle of least privilege across service accounts.

Data protection

  • Data minimization — only required engagement data is collected.
  • Client data never leaves the Supabase project scoped to that engagement.
  • Row-level security policies enforced.
  • Transport via TLS 1.2+ and HTTPS everywhere.

Secrets & dependencies

  • API keys, credentials, and environment secrets are never committed.
  • Secrets provisioned via Vercel; rotated on access-change events.
  • Dependencies pinned to known versions with regular Dependabot audits.

Operations

  • Every engagement ships with runbooks, recovery procedures, and credential escrow.
  • All client communication over encrypted channels.
  • NDA execution for proprietary-data engagements.

s.03what we do not hold

What we do not hold

We do not currently hold SOC 2 Type II, ISO 27001, or other formal certifications. We operate as a single-operator practice with a documented continuity plan for operational-risk mitigation.

Reporting a vulnerability

Submit it through the contact form, marked "security". 24-hour acknowledgment commitment.

go to the contact form