Trust Center

How we secure your data, protect your systems, and earn your trust.

Security Controls — Live

These controls are implemented and active in production today.

Live

Encryption in Transit

All traffic encrypted with TLS 1.3. HSTS enabled with preload. No plaintext connections accepted.

Live

Encryption at Rest

All stored data encrypted with AES-256. Database volumes use full-disk encryption. Backups are encrypted before transfer.

Live

Authentication & Access

Multi-factor authentication for all production access. API keys scoped by workspace. SSO available on Enterprise.

Live

Audit Logging

All API calls, configuration changes, and admin actions are logged with timestamps and actor identity. Logs retained for 90 days (1 year on Enterprise).

Live

Network Isolation

Production infrastructure runs in isolated VPCs. Internal services communicate over private networks. No direct public access to databases.

Live

Automated Backups

Continuous database backups with point-in-time recovery. Configuration and state backed up daily. Tested quarterly.

Live

Strict Content Security Policy

Hash-based CSP with no unsafe-inline for scripts or styles. X-Frame-Options DENY, HSTS preload, and all OWASP-recommended security headers.

Live

security.txt (RFC 9116)

Machine-readable vulnerability disclosure policy at /.well-known/security.txt. CISA-recommended standard.

Compliance Roadmap

We are an early-stage platform building toward enterprise compliance. Here is our honest timeline.

Q1 2026 — Complete

Infrastructure Hardening

TLS 1.3, AES-256, MFA, audit logging, network isolation, automated backups, security headers.

Q2 2026 — In Progress

SOC 2 Type I Preparation

Formal policies, access reviews, incident response procedures, vendor risk assessments. Engaging auditor.

Q3 2026 — Planned

SOC 2 Type I Audit

Point-in-time audit of security controls against Trust Services Criteria.

Q4 2026 — Planned

SOC 2 Type II Observation Begins

Continuous monitoring period (3-12 months) to demonstrate controls operate effectively over time.

We don't claim certifications we haven't earned. If you need a specific compliance attestation today, contact us and we'll tell you exactly where we stand.

Data Handling

Adapter data is ephemeral. We process and forward your data but do not persist it beyond delivery confirmation and dead-letter retry (up to 7 days).
We never inspect your data. Adapter payloads are treated as opaque. We do not mine, analyze, or train models on your data.
You own your data. Export or delete at any time. Account deletion removes personal data within 30 days.

Infrastructure

Cloud provider: DigitalOcean (US-East by default). EU and APAC regions available for Enterprise.
Edge network: TLS termination at edge with security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options).
Monitoring: Uptime monitoring, error tracking, and alerting. Self-hosted Sentry available for Enterprise.
Disaster recovery: Automated backups, point-in-time recovery, documented runbooks.

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly:

Email: security@carlquist.app
We acknowledge reports within 48 hours
We aim to patch critical vulnerabilities within 72 hours
We do not pursue legal action against good-faith researchers

Contact

Security questions: security@carlquist.app

Privacy requests: privacy@carlquist.app

Compliance inquiries: sales@carlquist.app