Home/Security

Security, honestly stated.

Security-first design. Best-practice controls. Industry-standard encryption. No procurement-team theater. No certification badges in the footer that we don't have. Here's what we actually do, what we don't, and what's on the roadmap.

// the basics

What's in place today.

// 01 · TRANSIT

TLS 1.3 everywhere. HSTS preloaded.

Every byte that leaves your browser is over TLS 1.3 with modern cipher suites. HSTS is preloaded. Mixed content is blocked at the CDN edge. We rotate certificates every 60 days.

tls version1.3
cert rotation60d
hstspreloaded
// 02 · AT REST

AES-256, KMS-managed.

Postgres data is encrypted at rest with AES-256 on our managed Postgres sub-processor (Neon, running on AWS). Keys are managed by Neon's KMS integration, rotated annually. Encryption is end-to-end: at rest, in transit, and in backup.

Two layers of recoverability. First, every prospect delete and bulk-action delete inside the app goes to a 30-day soft-delete trash with one-click restore. Second, the database itself runs continuous point-in-time recovery: if something corrupts data at a scale the trash can't handle (bad mass-edit, account compromise, corrupted import), we can rewind the entire database to any state within the last 30 days. Two independent layers, neither depends on the other.

algorithmAES-256-GCM
key mgmtNeon KMS
backup retention30-day PITR window
// 03 · AUTH

Argon2id passwords, TOTP MFA, SSO on Pro+.

Passwords hashed with Argon2id (memory-hard, side-channel resistant). TOTP MFA available to every account, free or paid. SSO via Google Workspace and SAML for any plan at 5+ seats.

hashArgon2id
mfaTOTP · all plans
ssoSAML / Google · 5+ seats
// 04 · AI & YOUR DATA

Zero-retention. No model training. Ever.

Pro AI calls hit Anthropic with data_retention: 0 and a signed zero-retention agreement. Your prompts and contact data are not used to train any model, ours, theirs, or anyone else's.

providerAnthropic / Bedrock
retention0 days
training opt-innever
// 05 · ACCESS

One person on the prod box. That's me.

Tyler is the only human with shell access to production. SSH via hardware key. All actions logged to an immutable audit stream. When we hire engineer #2 in 2026, they will get read-only first; write access only after the audit pipeline is dual-control.

prod access1 person
auth methodYubiKey
audit logimmutable · 2y
// 06 · INCIDENTS

Disclosure within 72 hours, every time.

We've had two incidents in 21 months, both rate-limit slowdowns, no data exposure. Both were posted to the public status page within an hour and a full post-mortem within a week. The post-mortems are still online.

incidents to date2 / 21mo
data exposure0
disclosure sla≤ 72h
// the honest list
// WHAT WE DON'T CLAIM

The receipts we won't fake to win your procurement review.

Plenty of vendors put compliance badges in the footer the day they sign the engagement letter. We won't do that. We hold no formal compliance certifications today. We do not claim any. Here's the plain version:

No formal compliance certifications, we do not hold any audited compliance certifications, and we will not display badges or attestations we don't have. If your security team requires a specific audited certification today, we are not the right vendor today. Tyler will tell you that on the discovery call. → HONEST
No protected-health-information vendor. We are not a BAA-signing vendor. If you need to put PHI in a CRM, we are not the right tool, likely ever. → NEVER
No formal EU representation. US-incorporated, US-hosted today. EU region planned for late 2027. Until then we will sign a DPA but we will not claim formal EU representation. → LATE 2027
No FedRAMP / GovCloud. Not pursuing. If you are GovCloud-bound, we are not your CRM. → NEVER
// the stack

Subprocessors. The whole list.

Every third party we send your data through, named, with the region and what they do. If we add or remove one, the change shows up here within 5 business days.

Neon// managed Postgres
Where your CRM data lives. Encrypted at rest (AES-256), point-in-time recovery enabled (30-day window). Runs on AWS under the hood. SOC 2 Type II + ISO 27001 + ISO 27701 certified.
virginia (us-east-1)
Render// application hosting
Where the DealArena app runs. Zero-downtime deploys, autoscaling, audit logs. SOC 2 Type II + ISO 27001 certified.
virginia (us-east-1)
Anthropic// claude-3.5 / 4.x
Origin agents. Zero-retention contract signed. No training opt-in. Every prompt scoped per-request.
us
Twilio// programmable voice
Powers the single-line autodialer (Solo+) and the Power Dialer (Pro mobile, in development). Call recordings stored encrypted in our S3 with 90-day default retention (configurable to 0).
us
Stripe// billing
Card data. We never see the PAN, Stripe Elements tokenizes in your browser. We hold a customer ID and the last 4 digits.
us
Postmark// transactional email
Account emails (login, receipts, password reset). Outbound CRM emails never go through Postmark, those use your Gmail / Outlook OAuth directly.
us
Cloudflare// edge + dns
CDN, WAF, bot mitigation. Terminates TLS at the edge. No log retention beyond 24h.
global
Sentry (self-hosted)// error monitoring
Self-hosted in our AWS account. PII stripped at the SDK layer before transmission. 14-day retention.
us-east-1
// the worst case
// SUCCESSION.MD · IF I GET HIT BY A BUS

The Dead Man's Switch.

Solo founder. One person. If something happens to me, your data should not be hostage to a probate court. The repo runs a CI job that polls for commit activity. If no commit lands for 90 consecutive days, two things happen automatically:

# SUCCESSION.MD · public · github.com/dealarena/dealarena
# cron: every monday 09:00 EST
$ last_commit_age > 90d
    publish source MIT
    mail S3 export to every customer email on file
    post final entry on Substack
    stripe: refund all unused prepaid balance

Documented in SUCCESSION.md on our public repo. Two trusted contacts hold the secondary keys (one lawyer in Philly, one ops contact in Austin). They get an email if the switch trips.

// disclosure

Found something? Tell me.

No bug bounty bureaucracy. Email Tyler directly with reproduction steps. Acknowledge within 24 hours, fix within 7 days for criticals, public post-mortem after.

// disclose: security@dealarena.io PGP: 0xA4F1 2B89 3E7C 0042 avg ack: 3h