Trust center
How we secure Resolute Security itself.
The same questions you'd ask any vendor — answered up front. Last updated .
Hosting & data residency
Where the bits live, and who has physical access. We're transparent about every layer.
- Application hosting
- Fly.io, Ashburn (IAD) Active
- Database
- Neon Postgres on AWS us-east-1 Active
- Object storage
- None — no customer files at rest Active
- Email delivery
- Resend (SOC 2 Type II) Active
- Background jobs
- Upstash Redis (US-East-1) Active
- Error tracking
- Sentry — PII scrubbed before send Active
Customer data handling
What we collect, how it's protected, and how long we keep it.
- Customer data classification
- Internal use only; never sold or shared Active
- Encryption in transit
- TLS 1.2+ enforced; HSTS preload-eligible Active
- Encryption at rest
- Postgres + Redis volume encryption Active
- Integration secrets
- AES-256-GCM with rotated key (INTEGRATION_ENC_KEY) Active
- Backups
- Neon continuous WAL + 7-day point-in-time recovery Active
- Data export
- Findings CSV + JSON, attestation PDF, posture history Active
- Data deletion
- Self-service from /app/settings/profile (org delete cascades all rows) Active
Authentication & access
Account security is the front door. We treat it that way.
- Email + password
- Argon2id; never reversible Active
- Magic link sign-in
- Single-use, 15-min TTL Active
- Multi-factor auth
- TOTP today; WebAuthn / passkeys in flight Active
- SSO
- Google + Microsoft OAuth (Entra ID) Active
- Session cookies
- HttpOnly + Secure + SameSite=Lax Active
- API keys
- Owner-only mint, prefix-displayed, full secret one-shot Active
- Rate limiting
- Per-IP throttling on password + MFA endpoints Active
Operations & monitoring
What's running, what's checked, what wakes us up.
- Uptime monitoring
- Fly health checks every 30s, /healthz constant-time Active
- Error capture
- Sentry with source maps; PII scrubbed Active
- Audit log
- Per-org, append-only, searchable from /app/audit Active
- Migrations
- Drizzle release_command before each deploy + idempotent re-apply Active
- Worker health
- Hourly per-integration sync ticks + 5-min heartbeat Active
Compliance posture
We use our own product. The same controls we help SMBs measure, we measure on ourselves.
- SOC 2 readiness
- Self-assessed via /app/compliance — auditor-ready in 2026 Planned
- CMMC Level 1 + 3
- Internal control responses tracked in-app Planned
- NIST CSF 2.0
- Function-by-function maturity tracked Planned
- Sub-processors
- Fly.io, Neon, Resend, Sentry, Upstash, Stripe Planned
- Cyber insurance
- Coverage in place; auto-fill attestation PDF available Active
Vulnerability disclosure
Found a bug? We want to hear from you.
- Contact
- security@resolute-security.com Active
- Triage SLA
- Acknowledge within 24h Active
- Safe harbor
- Good-faith research won't get you a lawsuit Active
- Bounties
- Case-by-case — material findings welcome Planned
Need more detail?
Enterprise prospects can request:
- SOC 2 Type II report (in progress, expected Q4 2026)
- Signed Master Subscription Agreement / DPA
- Sub-processor list with locations
- Pen-test summary (annual)
Reach out: trust@resolute-security.com