Information Security Addendum

Our infrastructure is hosted on enterprise-grade cloud platforms with robust security certifications:

Our hosting providers maintain physical security controls including:

• 24/7 security personnel and surveillance
• Biometric access controls
• Environmental controls (fire suppression, climate control)
• Redundant power and connectivity
• Regular security audits and assessments

Production data is stored in data centers located in the United States. Our infrastructure leverages multiple availability zones for redundancy and high availability.

• All data transmitted between clients and our servers is encrypted using TLS 1.2 or higher
• We enforce HTTPS for all connections with HSTS headers
• Internal service-to-service communication is encrypted
• API endpoints only accept encrypted connections

• Database storage uses AES-256 encryption
• File storage (waiver PDFs, logos) uses server-side encryption
• Encryption keys are managed by our infrastructure providers
• Backups are encrypted with the same standards as production data

• Multi-tenant architecture with logical data separation
• Each customer's data is isolated using tenant identifiers
• Row-level security policies enforce data isolation at the database level
• Cross-tenant data access is prevented at the application and database layers

• Secure authentication via Supabase Auth
• Password requirements enforce complexity standards
• Session management with secure token handling
• Automatic session expiration for inactive users
• Rate limiting on authentication endpoints

• Role-based access control (RBAC) with defined permission levels
• Principle of least privilege applied to all access grants
• Tenant-scoped access ensuring users can only access their organization's data
• Staff roles: Administrator (full access), Staff (operational access)
• API authorization with validated tokens

• Administrative access to production systems is strictly limited
• All administrative actions are logged
• Access reviews conducted regularly
• Privileged access requires additional authentication

• Security-focused code review process
• Static code analysis for vulnerability detection
• Dependency scanning for known vulnerabilities
• Regular updates to frameworks and libraries
• TypeScript strict mode for type safety

• All user input is validated using Zod schemas
• Input sanitization to prevent XSS and injection attacks
• HTML stripping from text inputs
• SQL injection prevention through parameterized queries
• Rate limiting on all public endpoints

We implement security headers including:

• Content-Security-Policy to prevent XSS attacks
• X-Frame-Options to prevent clickjacking
• X-Content-Type-Options to prevent MIME sniffing
• Strict-Transport-Security to enforce HTTPS
• Referrer-Policy to control referrer information

Cross-Site Request Forgery (CSRF) protection is implemented at the middleware level, validating Origin headers for all state-changing requests (POST, PUT, PATCH, DELETE).

• Web Application Firewall (WAF) protection
• DDoS mitigation at the edge
• IP reputation filtering
• Automatic bot detection and blocking

• Real-time monitoring of application performance
• Error tracking and alerting
• Anomaly detection for unusual activity
• Log aggregation and analysis

Our incident response process includes:

• Detection and identification of the incident
• Containment to prevent further damage
• Eradication of the threat
• Recovery of affected systems and data
• Post-incident review and lessons learned
• Customer notification as required by law and contract

In the event of a security incident affecting customer data, we will notify affected customers in accordance with our Data Processing Agreement (within 72 hours of becoming aware of the incident).

• Automated database backups (daily with point-in-time recovery)
• Backups stored in geographically separate locations
• Encrypted backup storage
• Regular backup restoration testing
• Recovery Time Objective (RTO): < 4 hours for critical systems
• Recovery Point Objective (RPO): < 1 hour for database

• Multi-region deployment for application hosting
• Database replication across availability zones
• Automatic failover for critical components
• Load balancing across multiple instances

We target 99.9% uptime for our production services. Scheduled maintenance windows are communicated in advance and performed during low-traffic periods when possible.

• Security awareness training for all personnel
• Role-specific security training for developers and administrators
• Regular updates on emerging threats and best practices
• Phishing awareness and testing

• Background checks for personnel with access to customer data
• Confidentiality agreements for all personnel
• Access provisioning based on role requirements
• Prompt access revocation upon termination or role change

• Full-disk encryption required on all devices
• Screen lock requirements
• Automatic security updates
• Secure configuration baselines

We evaluate vendors based on:

• Security certifications and compliance (SOC 2, ISO 27001)
• Data protection practices and policies
• Track record and reputation
• Contractual commitments to security and privacy

• Regular review of vendor security posture
• Monitoring vendor security advisories
• Prompt response to vendor security incidents
• Annual reassessment of critical vendors

A current list of our sub-processors and their security certifications is maintained in our Data Processing Agreement.

Our security program is designed to support compliance with:

• California Consumer Privacy Act (CCPA/CPRA)
• General Data Protection Regulation (GDPR) where applicable
• Telephone Consumer Protection Act (TCPA) for SMS communications
• CAN-SPAM Act for email communications
• Payment Card Industry Data Security Standard (PCI DSS) for payment processing

• Regular internal security assessments
• Vulnerability scanning of production systems
• Third-party penetration testing (annual)
• Continuous monitoring for new vulnerabilities

Our infrastructure providers maintain SOC 2 Type II and ISO 27001 certifications. We can provide documentation upon request for customers with specific compliance requirements.