LEGAL // SECURITY

Security

What we actually run today. We do not claim certifications we have not earned. For the full posture see /privacy and /subprocessors.

Transport

TLS 1.2+ everywhere: All traffic to our public origins is terminated by Caddy with HSTS (max-age=31536000; includeSubDomains; preload). HTTP/1.0 and TLS 1.0/1.1 are disabled at the edge. Internal service-to-service calls use TLS or run over a private network.
Edge rate-limiting (defense-in-depth): The application enforces per-IP and per-account rate limits at the API layer. In addition, Caddy carries the caddy-ratelimit plugin with stricter limits on /auth/*, /intake/*, /quote/*, /onboard/*, and a global write-quota; see deploy-agent/caddy/rate-limits.caddy.

Encryption at rest: Postgres data is encrypted at rest by the host’s LUKS volume. Application-level AES-GCM column encryption is used for sensitive fields (PHI, secrets, signed-document state). Backups are encrypted before leaving the primary host.
Secrets: Secrets are loaded from .env.local on the host (mode 0600, owner only). They never appear in the bundle or in client-rendered output. We do not store the Stripe secret key in the database.
Webhook signature verification: Stripe webhooks are verified with the official Stripe-Signature HMAC and a per-endpoint signing secret (lib/stripe/webhooks.ts). Replay tolerance is 5 minutes. Any request without a valid signature is rejected with 400.

Least-privilege application accounts: Workspace data is gated by row-level checks in lib/auth/. We do not run any public endpoint with database superuser credentials. Admin operations require an MFA-backed session.
Engineering access: Production access is restricted to the founding engineering team with hardware-key MFA. All deploys go through a reviewed pull request and a green CI build. There is no "backdoor" login bypass.

Synthetic monitoring: A 5-minute systemd timer polls /, /quote, /buy/medflow, /healthz, and /api/admin/webhook-health. Two consecutive failures page on Telegram + SMS. See scripts/synthetic-monitor.sh and docs/EXTERNAL_MONITORING.md.
Health endpoint: /healthz returns process, data-directory, SMTP, and Stripe configuration status. /api/admin/healthz/full additionally reports memory, swap, and CPU utilization (read from /proc/meminfo and /proc/stat) gated behind an admin token.
Webhook health view: /api/admin/webhook-health reports the last successful Stripe event timestamp per endpoint and surfaces stale endpoints in the admin dashboard.

Incident response runbook: See docs/IR_RUNBOOK.md for the on-call playbook (sev-classification, comms template, evidence-preservation steps, customer-notification timing).
Reporting a vulnerability: Email security@brainiacstechsolutions.com with steps to reproduce. We acknowledge within 2 business days and aim to remediate critical issues within 7 days. We do not pursue legal action against good-faith researchers operating under coordinated disclosure.