Security & Trust

Our Commitment

We are a security-focused, privacy-first service designed to help companies safely exchange sensitive security documents. Our security team consists of two co-founders, each with 25+ years in software development, including a Director of Engineering, and a Cybersecurity Architect roles at a major financial organization.

We implement comprehensive security controls aligned with the NIST Cybersecurity Framework (NIST CSF) and the CIS Critical Security Controls (v8 IG1). We maintain a formal Security Incident Response Plan with a 12-hour response SLA for all security incidents.

Infrastructure Security

Minimal Attack Surface

Our application runs on a dedicated, minimal Ubuntu Linux instance in AWS (which is SOC 2 Type II certified). We believe in simplicity as a security feature:

• No unnecessary services: The server runs only Nginx and the Python application environment.
• Hardened Configuration: Unused ports are blocked, and the OS is configured with strict security defaults.

Network Security & Firewalling

We employ a defense-in-depth approach to network security:

• AWS Security Groups: Strictly limit inbound traffic to HTTP/HTTPS (80/443) and SSH (22) from authorized IPs only.
• iptables IP Filtering: We actively block traffic from known malicious sources at the EC2 instance level using industry-standard blocklists (Tor Exit Nodes, Spamhaus DROP, Firehol Level 1, etc.).
• Automatic Security Updates: Ubuntu's automatic unattended-upgrades enabled for critical and security patches.
• Dependency Scanning: GitHub Dependabot monitors all dependencies for known vulnerabilities with manual review of updates.
• TLS Configuration: We enforce strong encryption (TLS 1.2/1.3 only) and use HSTS to force HTTPS. We maintain an A+ rating on SSL Labs.

Secure Deployment Pipeline

Our deployment process includes automated security and quality checks. Our deployment script automatically runs the full backend test suite, and deployments are immediately aborted if any test fails. This ensures only verified code reaches production.

Application Security

• Identity Provider: We use Supabase Auth, a hardened, SOC 2 Type II compliant identity provider.
• No Plaintext Passwords: We never see or store your passwords. They are hashed and salted using industry-standard algorithms (bcrypt).
• SSO Support: We support Single Sign-On (SSO) integration, allowing customers to enforce their own Multi-Factor Authentication (MFA) and security policies via providers like Okta and Entra ID.
• Session Management: We use secure, HTTP-only cookies with strict attributes to prevent XSS and CSRF attacks.

Data Protection

• Encryption in Transit: All data is encrypted via TLS 1.2/1.3.
• Encryption at Rest: All customer data (Database & File Storage) is encrypted at rest via Supabase (AES-256) and AWS EBS encryption.
• Data Isolation: Multi-tenant architecture with PostgreSQL Row-Level Security (RLS) policies ensuring strict tenant isolation.
• Backups: Automated daily backups are encrypted and stored securely. Database backups retained for 7 days; EC2 volume snapshots retained for 30 days.

Monitoring & Incident Response

• Continuous Monitoring: AWS CloudWatch monitors failed authentication attempts, API error rates, unusual traffic patterns, and EC2 instance metrics with automated alerting.
• Audit Logging: Comprehensive audit logs of all critical actions (logins, document uploads, access requests, share link generation).
• Document Versioning: Complete version history tracking for all documents with uploader names, timestamps, and version chains. When documents are replaced, previous versions are preserved for audit compliance and to maintain the integrity of external shares.
• Incident Response: Formal Security Incident Response Plan with 12-hour response SLA. Contact: security@simpletrustportal.com