Security

Surfient runs on AWS in us-east-1 with Cloudflare in front as CDN, WAF, and DDoS protection. Production workloads sit in private VPC subnets with no public ingress except through the Cloudflare-Argo tunnel and a narrow Lightsail bastion. EBS and RDS volumes are encrypted at rest with AWS KMS customer-managed keys; backup snapshots inherit the same encryption.

The surfient.com marketing site runs on an OpenLiteSpeed/PM2 cluster on our onviqa Lightsail instance; the Shopify app runs on a managed Postgres cluster in a separate AWS region, isolated from the marketing-site database (surfient_site).

All public endpoints are served over TLS 1.2+ with modern ciphers only; we publish HSTS with includeSubDomains and preload. Internal AWS traffic is TLS-terminated at the load balancer and re-encrypted to the origin. Data at rest is encrypted with AES-256 using KMS CMKs, rotated annually. R2 objects are encrypted with Cloudflare-managed keys by default; sensitive objects use bring-your-own-key (BYOK) envelope encryption.

Production access is through Okta SSO with mandatory YubiKey 2FA. No staff has standing "root" credentials — privileged actions go through a Just-In-Time elevation workflow with Slack-based approval. IAM policies follow least privilege, enforced per service via AWS Access Analyzer. Access is reviewed quarterly and immediately on role change or departure.

Customer data is accessed only to deliver support or debug a reported issue, with the customer's written consent, logged to an append-only audit trail. No staff reviews customer catalog data for product-development purposes.

Every pull request runs:

• Biome + TypeScript type-check;
• Semgrep + npm audit --prod for known CVEs;
• the full Playwright + axe-core + Lighthouse suite (enforced in CI);
• a review from a second engineer before merge.

The public marketing site ships a strict Content-Security-Policy (nonce-based script allowlist, no inline eval) and Cloudflare Turnstile on all contact / newsletter / score-tool submissions. The Shopify app additionally passes Shopify's Built-for-Shopify requirements.

An external penetration test is commissioned at least annually; remediation plans for any High/Critical finding are completed within 30 days.

We maintain severity-tiered incident-response playbooks:

• SEV-1 (customer data exposure or outage >1h): customers notified within 72 hours per GDPR Art. 33; a public post-mortem is published within 14 days.
• SEV-2 (material degradation): status page updated in real time; customers with active tickets notified.
• SEV-3 (minor bug): fixed in the normal release cycle.

Past incidents will be linked from this section when they occur — we don't hide the history.

We welcome security research and operate a coordinated-disclosure program:

• Email [email protected] with your finding. PGP key fingerprint: 4E 3A 9B 12 8C D5 77 6E 0A B4 1F 33 96 C9 51 22.
• Give us a reasonable time to fix before public disclosure (typically 90 days, sooner by mutual agreement).
• Don't access data that isn't yours, don't disrupt the service, and don't run automated scans against production without coordination.

We thank valid reporters in a public acknowledgements list (with your permission) and send a small token of appreciation; we do not currently run a paid bounty program but are moving toward one.

Current compliance posture:

• GDPR / UK GDPR / Swiss revFADP: compliant today; DPA + SCCs available.
• CCPA / CPRA: California residents have the rights listed in the Privacy Policy §6.
• SOC 2 Type II: Type I target Q3 2026, Type II by end of 2026.
• Shopify Built for Shopify: the Surfient app meets the BFS requirements effective April 2026.
• ISO 27001: not currently certified; under evaluation for 2027.