How your submissions are protected.
Last updated: April 22, 2026I've been on the receiving end of loss runs emailed in the clear and COIs tossed into shared Google Drives that half the agency can see. That's not how this works. This page lays out what I do — today, in the beta — to keep the stuff you send me locked down.
1. Encryption
- In transit: TLS 1.2+ everywhere. HTTPS-only via HSTS. No plaintext endpoints.
- At rest: AES-256 encryption on all stored data and uploaded files, via Supabase / AWS S3 managed keys.
- Secrets:API keys and service credentials live in Vercel's encrypted environment variable store. Never in code. Never in git.
2. Access control
- Today the production systems are accessed by one human — me. All administrative sessions require 2FA (TOTP/WebAuthn).
- Supabase row-level security is enabled on every table. The public site uses the anon key (read-restricted); writes go through a service-role key that never leaves server-side code.
- File uploads land in a private storage bucket. Signed, short-lived URLs are the only way to retrieve them.
- CRM (Copper) access is limited to me, scoped to the workspace I own.
3. Infrastructure
| Layer | Provider | Notes |
|---|---|---|
| Application hosting | Vercel | SOC 2 Type II, ISO 27001. US edge + US primary region. |
| Database + file storage | Supabase (AWS us-east-1) | SOC 2 Type II. Managed Postgres, daily backups, PITR. |
| CRM | Copper CRM | SOC 2 Type II. |
| Source control | GitHub (private repo) | SOC 2 Type II. No customer data in code or commits. |
4. Application security
- Server-side input validation on every API route.
- File uploads size-capped (50MB/file) and type-screened.
- No customer file is ever executed — everything is stored as opaque bytes.
- Frontend is React/Next.js 15; dependencies are pinned and tracked via GitHub Dependabot for known CVEs.
- No third-party analytics or advertising pixels load on the submission path. The upload form and the API are kept clean of tracking scripts.
5. Backups & recovery
- Daily automated Postgres backups (Supabase).
- Point-in-time recovery for the last 7 days.
- Target Recovery Time Objective (RTO): 24 hours. Target Recovery Point Objective (RPO): 24 hours. Honest about the fact that these are targets, not SLAs.
6. Monitoring
- Deployment logs retained by Vercel.
- Database query + error logs retained by Supabase.
- Failed API calls and exceptions logged server-side.
- I personally review logs weekly and on any reported issue.
7. Incident response
If I confirm a security incident that affects your data, you'll hear from me within 72 hourswith what I know, what's affected, what I'm doing about it, and what (if anything) you need to do. See the DPA for the contractual framing.
To report a suspected vulnerability or incident: scott@upfrontrisk.io. Use the subject line "Security report" and I'll prioritize accordingly. No bug bounty program yet; I'll thank you publicly (or privately, your choice) for coordinated disclosure.
8. Data minimization
- I collect what the workflow actually needs, not extra.
- Optional fields are marked optional and left blank by default.
- Aggregated / de-identified data may be used for product improvement. Raw client data is never used to train models in an identified way.
9. Business continuity
The platform runs on managed, multi-AZ infrastructure. If a vendor has an outage, the site is down until they're back. I don't have a follow-the-sun NOC, and I'm not going to pretend I do.
10. Compliance posture
- Today: privacy-by-design, GDPR-aligned processing, CCPA-compliant, DPA available on request, written security policies in the repo.
- On the roadmap: SOC 2 Type II (targeting 12–18 months from GA), formal penetration test before the first paid customer with production volume.