Trust & Safety
Security
We take the security of your data and our infrastructure seriously. Below is an overview of our security practices. For questions or to report a vulnerability, see the Responsible Disclosure section.
Encryption
- All data in transit is encrypted with TLS 1.2 or higher. TLS 1.0/1.1 are disabled.
- Data at rest (database, object storage) is encrypted with AES-256.
- Passwords are never stored in plaintext — bcrypt with cost factor ≥ 12.
- API keys are stored as bcrypt hashes; the plaintext key is shown once at generation.
Access Controls
- Principle of least privilege: every system component and employee role has only the access it needs.
- Production systems are accessible only via authenticated, encrypted channels (no plain-SSH from developer machines to prod).
- Multi-factor authentication is required for administrative access to cloud infrastructure.
- Access reviews are performed quarterly.
Infrastructure
- Hosted on managed cloud infrastructure (Vercel edge network, Neon serverless Postgres, Upstash Redis).
- Database backups are automated and tested regularly. Point-in-time recovery enabled.
- Environments are isolated: production, staging, and development share no credentials.
- No sensitive configuration values are committed to source control — all secrets via environment variables.
Dependency & Vulnerability Management
- Dependencies are scanned for known CVEs on every build via automated tooling.
- Critical and high-severity vulnerabilities are patched within 7 days of disclosure.
- Third-party sub-processors are evaluated for security posture before integration.
- Our full sub-processor list is published on the Trust Center.
Incident Response
- We maintain an incident response plan with defined roles, escalation paths, and communication templates.
- Security events are logged and alerted on via our observability stack (Sentry, server-side monitoring).
- In the event of a data breach, affected customers are notified within 72 hours where required by law.
- Post-incident reviews are documented and drive process improvement.
Application Security
- CSRF protection on all state-changing endpoints.
- Input validation and output encoding throughout the application stack.
- Strict Content Security Policy, X-Frame-Options, and HSTS headers enforced.
- Rate limiting on authentication endpoints and the public API.
Responsible Disclosure
Report a Vulnerability
If you believe you have discovered a security vulnerability in our systems, please disclose it responsibly. We are grateful for researchers who help keep our platform safe.
Report vulnerabilities by email to security@lowkeyagency.ca or via our security.txt.
Please include:
- A description of the vulnerability and its potential impact.
- Steps to reproduce or a proof-of-concept.
- Any affected URLs, endpoints, or components.
Our commitment:
- We will acknowledge your report within 2 business days.
- We will investigate and provide an update within 14 days.
- We will not pursue legal action against researchers acting in good faith within this policy.
- We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to remediate.
We do not currently offer a paid bug bounty program, but we are happy to provide credit and acknowledgment for validated findings.
Our full list of sub-processors, compliance posture, and certifications is published on the Trust Center. Our Data Processing Agreement is available at /dpa.
Security questions: contact@lowkeyagency.com