code/+/trust primary logo full color svg

Trust & Safety

Security & Compliance

Enterprise clients trust us with sensitive business logic and data. Here's exactly how we protect it.

How does Code and Trust protect client data?

Code and Trust implements defense-in-depth security across all client projects and our own infrastructure. Data is encrypted at rest and in transit, access is role-gated by team function, and we conduct quarterly security reviews. All team members complete annual security awareness training.

Infrastructure Security

  • All traffic served over HTTPS via Vercel's edge network — no plain-HTTP endpoints.

  • Database (Neon PostgreSQL) is encrypted at rest using AES-256; connections use TLS 1.3.

  • Environment variables and secrets stored in Vercel Secrets — never committed to source code.

  • Production and development environments are fully separated with distinct credentials.

Application Security

  • Parameterized queries (tagged SQL templates) throughout — no string concatenation in SQL.

  • OWASP Top 10 practices followed: input validation, output encoding, secure session management.

  • Dependency scanning via GitHub Dependabot — critical CVEs patched within 24 hours.

  • Content Security Policy headers on all responses to mitigate XSS.

Data Handling

  • Client data is isolated per project — no shared databases between separate client engagements.

  • Minimal data retention: we keep only what's needed for the project, deleted on request.

  • NDA by default for enterprise clients — countersigned within 4 business hours.

  • All team members complete annual security awareness training.

Compliance Practices (SOC 2 Alignment)

  • Access controls: role-based access, least-privilege principle, quarterly access review.

  • Change management: all production deployments reviewed and logged.

  • Availability: 99.9% uptime target via Vercel infrastructure, monitored by UptimeRobot.

  • Note: Code and Trust follows SOC 2 practices but has not completed a formal audit. Contact us if your compliance team requires additional documentation.

Security Incident Response

Code and Trust maintains a 24-hour response SLA for all security incidents affecting client systems. Critical vulnerabilities in production systems receive immediate escalation — acknowledged within 4 hours, contained within 24, root cause report within 72 hours of resolution.

< 4 hours

Acknowledgment

Critical issues

< 24 hours

Containment

All severity levels

72 hours

Post-mortem

After resolution

Report a Vulnerability

If you discover a security vulnerability on codeandtrust.com or in any Code and Trust client-facing system, please report it responsibly. We will acknowledge within 24 hours and will not take legal action against good-faith disclosure.

security@codeandtrust.com