Security

Encryption

Data in Transit

• TLS 1.3: All data transmitted between your browser and our servers is encrypted using the latest TLS 1.3 protocol
• HTTPS Enforcement: All connections are forced to HTTPS with HSTS headers to prevent downgrade attacks
• Certificate Pinning: We use certificate pinning to prevent man-in-the-middle attacks

Data at Rest

• AES-256 Encryption: All stored data is encrypted using industry-standard AES-256 encryption
• Database Encryption: Convex provides automatic encryption of all database records
• Encrypted Backups: All backups are encrypted using separate encryption keys
• Key Management: Encryption keys are stored separately from data and rotated regularly

Authentication & Access Control

User Authentication

• Clerk Authentication: Enterprise-grade authentication powered by Clerk with JWT tokens
• Multi-Factor Authentication (MFA): Support for TOTP-based 2FA and SMS verification
• OAuth2 / Social Login: Secure authentication via Google, Microsoft, and other providers
• Password Security: Passwords are hashed using bcrypt with high cost factors
• Session Management: Secure session tokens with automatic expiration and refresh

Role-Based Access Control (RBAC)

• Granular Permissions: Owner, member, and viewer roles with specific permissions
• Team Isolation: Complete data isolation between teams—no cross-team data access
• Sales Role Hierarchy: Executive, manager, team lead, rep, and RevOps role distinctions
• API Authorization: All API requests validated with user context and permissions

Infrastructure Security

Hosting & Infrastructure

• Vercel Hosting: SOC 2 Type II certified hosting with global CDN and DDoS protection
• Convex Database: Fully managed, secure, real-time database with automatic backups
• Serverless Architecture: Auto-scaling serverless functions reduce attack surface
• Edge Network: Global edge network for low latency and high availability

Network Security

• DDoS Protection: Advanced DDoS mitigation at multiple network layers
• Web Application Firewall (WAF): Protection against common web vulnerabilities
• Rate Limiting: API rate limiting to prevent abuse and brute force attacks
• IP Whitelisting: Optional IP restrictions for enterprise customers

Application Security

Secure Development Practices

• Input Validation: Comprehensive input validation and sanitization on all user inputs
• SQL Injection Prevention: Parameterized queries and ORM protection
• XSS Protection: Content Security Policy (CSP) and output encoding
• CSRF Protection: Token-based CSRF protection on all state-changing operations
• Secure Headers: Security headers including CSP, X-Frame-Options, and X-Content-Type-Options

Code Security

• TypeScript: Full type safety to prevent common programming errors
• Dependency Scanning: Automated vulnerability scanning of dependencies
• Code Reviews: All code changes reviewed before deployment
• Security Scanner: Custom security scanner monitors for vulnerabilities in real-time

Data Protection

• Team Isolation: Strict data boundaries between teams prevent unauthorized access
• Data Retention: Configurable data retention policies with automatic deletion
• Audit Logging: Comprehensive audit logs track all data access and modifications
• Backups: Automated encrypted backups with point-in-time recovery
• Data Deletion: Secure data wiping upon account deletion within 30 days
• Disaster Recovery: Multi-region backup strategy with RTO < 4 hours, RPO < 1 hour

Monitoring & Incident Response

Security Monitoring

• Sentry Error Tracking: Real-time error monitoring and alerting
• PostHog Analytics: User behavior monitoring to detect anomalies
• Real-Time Security Scanning: Automated security scans every 30 minutes
• Intrusion Detection: Automated detection of unauthorized access attempts
• 24/7 Monitoring: Continuous monitoring of infrastructure and application health

Incident Response

• Incident Response Plan: Documented procedures for security incident handling
• Automated Alerts: Immediate notification of critical security events
• Response Team: Dedicated security response team available 24/7
• Customer Notification: Prompt notification to affected customers in case of breach

Third-Party Vendors

We carefully vet all third-party vendors and partners to ensure they meet our security standards:

• OpenAI: SOC 2 Type II certified, enterprise-grade AI processing
• Convex: SOC 2 Type II certified database with automatic encryption
• Clerk: SOC 2 certified authentication platform
• Vercel: SOC 2 Type II certified hosting infrastructure
• Stripe: PCI DSS Level 1 certified payment processing

All vendor relationships are governed by Data Processing Agreements (DPAs) and Business Associate Agreements (BAAs) where applicable.