Home/Security

Security, honestly stated.

No procurement-team theater. No SOC 2 badge in the footer that we don't have. Here's what we actually do, what we don't, and what's on the roadmap with a real date.

// the basics

What's in place today.

// 01 · TRANSIT

TLS 1.3 everywhere. HSTS preloaded.

Every byte that leaves your browser is over TLS 1.3 with modern cipher suites. HSTS is preloaded. Mixed content is blocked at the CDN edge. We rotate certificates every 60 days.

tls version1.3
cert rotation60d
hstspreloaded
// 02 · AT REST

AES-256, KMS-managed.

Postgres volumes are encrypted at rest with AES-256, keys managed in AWS KMS, rotated annually. Daily snapshots to S3 with the same key envelope. Backups are encrypted before they leave the box.

algorithmAES-256-GCM
key mgmtAWS KMS
backup retention30 days
// 03 · AUTH

Argon2id passwords, TOTP MFA, SSO on Pro+.

Passwords hashed with Argon2id (memory-hard, side-channel resistant). TOTP MFA available to every account, free or paid. SSO via Google Workspace and SAML for any plan at 5+ seats.

hashArgon2id
mfaTOTP · all plans
ssoSAML / Google · 5+ seats
// 04 · AI & YOUR DATA

Zero-retention. No model training. Ever.

Pro AI calls hit Anthropic with data_retention: 0 and a signed zero-retention agreement. Your prompts and contact data are not used to train any model, ours, theirs, or anyone else's. The Jedi-style answer is on the FAQ.

providerAnthropic / Bedrock
retention0 days
training opt-innever
// 05 · ACCESS

One person on the prod box. That's me.

Tyler is the only human with shell access to production. SSH via hardware key. All actions logged to an immutable audit stream. When we hire engineer #2 in 2026, they will get read-only first; write access only after the audit pipeline is dual-control.

prod access1 person
auth methodYubiKey
audit logimmutable · 2y
// 06 · INCIDENTS

Disclosure within 72 hours, every time.

We've had two incidents in 21 months, both rate-limit slowdowns, no data exposure. Both were posted to the public status page within an hour and a full post-mortem within a week. The post-mortems are still online.

incidents to date2 / 21mo
data exposure0
disclosure sla≤ 72h
// the honest list
// WHAT WE DON'T HAVE YET

The receipts we won't fake to win your procurement review.

Most CRMs put a SOC 2 / ISO / HIPAA badge in the footer the day they sign the engagement letter. We won't do that. Here's what we don't have today, and when we will:

SOC 2 Type II. Type II audit kicks off Q4 2026, report expected mid-2027. If your security team requires it today, we are not the right vendor today. Tyler will tell you that on the discovery call. → MID 2027
ISO 27001. On the roadmap behind SOC 2. Realistic timeline: 2028. → 2028
HIPAA. We are not a BAA-signing vendor. If you need to put PHI in a CRM, we are not the right tool, likely ever. → NEVER
GDPR Art. 27 representation. US-incorporated, US-hosted today. EU region planned for late 2027. Until then we will sign a DPA but we will not claim formal Art. 27 representation. → LATE 2027
FedRAMP / IL-anything. Not pursuing. If you are GovCloud-bound, we are not your CRM. → NEVER
// the stack

Subprocessors. The whole list.

Every third party we send your data through, named, with the region and what they do. If we add or remove one, the change shows up here within 5 business days.

AWS// us-east-1 + us-west-2
Postgres + S3 + KMS. Where your CRM data lives. Encrypted at rest, encrypted in transit, encrypted in backup.
virginia · oregon
Anthropic// claude-3.5 / 4.x
Origin agents. Zero-retention contract signed. No training opt-in. Every prompt scoped per-request.
us
Twilio// programmable voice
3-line parallel dialer. Call recordings stored encrypted in our S3 with 90-day default retention (configurable to 0).
us
Stripe// billing
Card data. We never see the PAN, Stripe Elements tokenizes in your browser. We hold a customer ID and the last 4 digits.
us
Postmark// transactional email
Account emails (login, receipts, password reset). Outbound CRM emails never go through Postmark, those use your Gmail / Outlook OAuth directly.
us
Cloudflare// edge + dns
CDN, WAF, bot mitigation. Terminates TLS at the edge. No log retention beyond 24h.
global
Sentry (self-hosted)// error monitoring
Self-hosted in our AWS account. PII stripped at the SDK layer before transmission. 14-day retention.
us-east-1
// the worst case
// SUCCESSION.MD · IF I GET HIT BY A BUS

The Dead Man's Switch.

Solo founder. One person. If something happens to me, your data should not be hostage to a probate court. The repo runs a CI job that polls for commit activity. If no commit lands for 90 consecutive days, two things happen automatically:

# SUCCESSION.MD · public · github.com/dealarena/dealarena
# cron: every monday 09:00 EST
$ last_commit_age > 90d
    publish source MIT
    mail S3 export to every customer email on file
    post final entry on Substack
    stripe: refund all unused prepaid balance

Documented in SUCCESSION.md on our public repo. Two trusted contacts hold the secondary keys (one lawyer in Philly, one ops contact in Austin). They get an email if the switch trips.

// disclosure

Found something? Tell me.

No bug bounty bureaucracy. Email Tyler directly with reproduction steps. Acknowledge within 24 hours, fix within 7 days for criticals, public post-mortem after.

// disclose: security@dealarena.io PGP: 0xA4F1 2B89 3E7C 0042 avg ack: 3h