The technical detail your security team will ask for.
We're an Australian company building tools that handle sensitive workplace wellbeing data. Here's the technical posture, where we are on certifications, and how to report a vulnerability. For the customer-facing version see /trust or our Privacy Policy.
Last updated: 1 May 2026
Encryption + access
In transit
TLS 1.3 across every network hop. HSTS enabled. No HTTP fallback.
At rest
AES-256 at the storage layer. Free-text reflections (check-in notes, anonymous feedback) get an additional application-layer cipher.
Authentication
Email + password for admins (bcrypt-hashed, 12 rounds). 4-digit PIN for packmates. JWTs scoped to one workspace, 14-day rotation. Manual token revocation on demand.
Infrastructure access
Production database access restricted to the two senior engineers. SSH bastion with audit logging. Quarterly access review.
Certifications + audits
We're early — here's where we honestly are on each. As we move, this page moves with us. No lying about lapsed certs.
- In progress
SOC 2 Type II
Audit window opens Q3 2026 with Drata. Type I report available on request to enterprise prospects under NDA.
- In progress
ISO/IEC 27001
Gap assessment complete. Implementation phase running parallel to SOC 2 Type II.
- Planned
Annual penetration test
External pentest scheduled with an Australian firm before our first 1,000-packmate customer onboards. Summary report shared under NDA.
- In place
GDPR + Australian Privacy Principles
See /privacy for our full posture. Data Processing Agreement available on request — email privacy@thebetterusproject.com.
- In place
Subprocessor list
Listed on our Privacy page: Vercel, Replit, Firebase, Stripe, Resend. We notify customers 30 days before adding a new one.
Reporting a vulnerability
Found something that looks wrong? Tell us privately and we'll fix it fast. We don't prosecute good-faith research.
security@thebetterusproject.com
We acknowledge within 24 hours. Triage within 72.
- 1.Email us with steps to reproduce, the affected URL, and any proof-of-concept payload. Encrypt with our PGP key on request.
- 2.Don't access, modify, or exfiltrate other customers' data — even briefly. Use a test workspace.
- 3.Hold off public disclosure until we've shipped the fix (we'll keep you in the loop). 90-day default.
We don't run a paid bug bounty yet, but we credit researchers (with permission) on this page once a finding is resolved.
Operational practice
Backups
Daily encrypted snapshots, retained 30 days. Restore tested monthly. Customer-initiated point-in-time restore available on the Enterprise tier.
Logging
Application + infra logs retained 90 days. PII scrubbed at write time. Admin actions logged to /admin/audit (kept indefinitely).
Incident response
On-call rotation, 15-minute paging SLA for severity-1. Public status page at /status. Post-mortem within 5 business days for any incident affecting more than 1% of customers.
Secret management
Production secrets in Vercel + Replit env vars (encrypted at rest, scoped to deploy). No secrets in git. Pre-commit secret scanner.
Procurement, audit, security questionnaire?
We answer every security questionnaire ourselves — usually within 48 hours. CAIQ + SIG Lite responses available on request.