Security First
Security is the first design decision, not the last review. From threat modeling to incident response, here is what we do and what we publish so your security team can verify it.
Our Practices
Security Controls Running in Production
The controls a security review actually asks about, plus the tools we use to enforce them.
Encryption at Rest & In Transit
AES-256-GCM at rest with KMS-managed keys per tenant, TLS 1.3 in transit, and HSTS preload at the edge. Customer-supplied keys (BYOK) for engagements that require them.
Access Control & IAM
Least-privilege RBAC scoped to environment and tenant, hardware-backed MFA (FIDO2) for production access, just-in-time access elevation through approved Slack workflows, and immutable audit logs for every privileged action.
Infrastructure Security
AWS and GCP infrastructure provisioned through Terraform with peer review, VPC segmentation with no public ingress to the data tier, AWS WAF and CloudFront or Cloudflare for edge protection, and patches applied through automated image rebuilds rather than in-place updates.
Compliance & Audits
SOC 2 Type II maintained continuously (not annually rebuilt), annual third-party penetration tests with reports available under NDA, quarterly internal vulnerability scans, and dependency auditing built into the CI pipeline.
Incident Response
24/7 monitoring with on-call rotation, a runbook that has actually been run (not just written), Sev-1 acknowledgement under 15 minutes, and a customer-notification SLA aligned with your DPA, not a generic 72 hours.
Secure SDLC
Threat modeling at design review for new features, mandatory peer review with security-trained reviewers on auth and crypto code, SAST in pull-request CI (Semgrep), DAST against staging before release, and Dependabot or Renovate for dependency auditing.
Your Data
How We Handle Customer Data
What customer data is, where it lives, how long we keep it, and what happens when the engagement ends.
Data Classification & Segregation
Customer data is tagged and routed by classification (production data, code, documentation, support transcripts). Each tenant's production data is logically isolated and, where the engagement requires it, physically separated into dedicated infrastructure.
Residency & Sovereignty
Default residency is US (AWS us-east-1 / us-west-2). We deploy to EU regions (eu-west-1, eu-central-1) for engagements with EU data residency requirements, and to UK or APAC regions on request.
Retention & Deletion
Customer data is retained only for the term of the engagement plus the audit window the contract specifies. On termination, data is cryptographically purged within 30 days and certified in writing on request.
DSARs & Data Subject Rights
We respond to data subject access, correction, deletion, and portability requests within the windows GDPR Article 12 requires (one month, extendable by two). Submissions can be filed via our contact form or directly to your engagement owner.
Report an Issue
Responsible Disclosure
If you have found a security issue, here is how to tell us and what to expect back.
How to report
Send details to [email protected] with reproduction steps, the affected component, and any supporting evidence. PGP-encrypted submission is available on request.
What to expect
Acknowledgement within one business day. Triage and severity assessment within five business days. Status updates at least weekly until resolution. Public credit (if you want it) once the issue is closed.
Scope
Production systems and infrastructure we operate (softwarepro.nyc and direct subdomains). Customer applications we built but customers run are out of scope; route those reports through the customer's own security contact.
Safe harbor
Good-faith research that respects the scope above and avoids customer data or service disruption will not result in legal action from us.
Attestations
Certifications & Frameworks
Continuously maintained attestations. SOC 2 Type II reports and pen-test summaries available under NDA on request.
SOC 2 Type II
ISO 27001
GDPR Compliant
HIPAA Compliant
PCI DSS
AWS Well-Architected