Trust & Safety

Security

We take the security of your data and our infrastructure seriously. Below is an overview of our security practices. For questions or to report a vulnerability, see the Responsible Disclosure section.

Encryption

  • All data in transit is encrypted with TLS 1.2 or higher. TLS 1.0/1.1 are disabled.
  • Data at rest (database, object storage) is encrypted with AES-256.
  • Passwords are never stored in plaintext — bcrypt with cost factor ≥ 12.
  • API keys are stored as bcrypt hashes; the plaintext key is shown once at generation.

Access Controls

  • Principle of least privilege: every system component and employee role has only the access it needs.
  • Production systems are accessible only via authenticated, encrypted channels (no plain-SSH from developer machines to prod).
  • Multi-factor authentication is required for administrative access to cloud infrastructure.
  • Access reviews are performed quarterly.

Infrastructure

  • Hosted on managed cloud infrastructure (Vercel edge network, Neon serverless Postgres, Upstash Redis).
  • Database backups are automated and tested regularly. Point-in-time recovery enabled.
  • Environments are isolated: production, staging, and development share no credentials.
  • No sensitive configuration values are committed to source control — all secrets via environment variables.

Dependency & Vulnerability Management

  • Dependencies are scanned for known CVEs on every build via automated tooling.
  • Critical and high-severity vulnerabilities are patched within 7 days of disclosure.
  • Third-party sub-processors are evaluated for security posture before integration.
  • Our full sub-processor list is published on the Trust Center.

Incident Response

  • We maintain an incident response plan with defined roles, escalation paths, and communication templates.
  • Security events are logged and alerted on via our observability stack (Sentry, server-side monitoring).
  • In the event of a data breach, affected customers are notified within 72 hours where required by law.
  • Post-incident reviews are documented and drive process improvement.

Application Security

  • CSRF protection on all state-changing endpoints.
  • Input validation and output encoding throughout the application stack.
  • Strict Content Security Policy, X-Frame-Options, and HSTS headers enforced.
  • Rate limiting on authentication endpoints and the public API.

Responsible Disclosure

Report a Vulnerability

If you believe you have discovered a security vulnerability in our systems, please disclose it responsibly. We are grateful for researchers who help keep our platform safe.

Report vulnerabilities by email to security@lowkeyagency.ca or via our security.txt.

Please include:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce or a proof-of-concept.
  • Any affected URLs, endpoints, or components.

Our commitment:

  • We will acknowledge your report within 2 business days.
  • We will investigate and provide an update within 14 days.
  • We will not pursue legal action against researchers acting in good faith within this policy.
  • We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to remediate.

We do not currently offer a paid bug bounty program, but we are happy to provide credit and acknowledgment for validated findings.

Our full list of sub-processors, compliance posture, and certifications is published on the Trust Center. Our Data Processing Agreement is available at /dpa.

Security questions: contact@lowkeyagency.com