Built to pass the security questionnaire.
Encryption, access controls, audit trails, and responsible disclosure β everything your governance team needs, built in from day one.
Security at a glance
Security controls
A full breakdown of the controls in place across data security, identity, access, audit, and monitoring.
Data security
Encryption in transit
All HTTP traffic is served over TLS 1.2+. Certificates are managed and auto-renewed.
Encryption at rest
Data is stored in Neon Postgres with provider-managed AES-256 encryption at rest. Backups are also encrypted.
Managed infrastructure
We run on Vercel (compute) and Neon (Postgres). Both providers maintain SOC 2 Type II and ISO 27001 certifications.
Data isolation
Each organization's data is logically isolated by organizationId on every query. No cross-tenant data access is possible by design.
Identity & authentication
SAML SSO
Enterprise plans can configure SAML 2.0 SSO with any identity provider (Okta, Azure AD, Google Workspace, etc.). SSO can be enforced org-wide.
Multi-factor authentication
TOTP-based MFA is available for all users. Admins can view and monitor MFA adoption across their organization.
Password policy
Passwords are hashed with bcrypt (cost factor 12). Password reset uses time-limited single-use tokens delivered to the registered email.
Session management
Sessions are JWT-based with configurable expiry. Users can view active sessions and revoke all sessions remotely from Security settings.
Access control
Role-based permissions
Three roles β Owner, Admin, Member β with clearly scoped capabilities. Billing and organization settings are Admin-only. User provisioning and deprovisioning follows standard invite/revoke flows.
Principle of least privilege
All server queries are scoped by organizationId on every request. Admins cannot access other organizations' data, and Members cannot access Admin features.
Admin subdomain isolation
Platform administration (admin.remindersforteams.com) is on a separate subdomain with its own authentication layer and is not accessible from the customer-facing application.
Audit logging & compliance
Security audit trail
Every security-sensitive action is logged: sign-ins (with IP and device), password changes, email changes, MFA enable/disable, session revocations, and membership changes.
Immutable export chain
Audit exports are hash-chained using SHA-256 so any tampering is detectable. Export history is recorded in a separate audit record.
Configurable retention
Admins can set audit log retention windows (30β365 days) and run manual cleanup. A nightly cron enforces the configured retention policy automatically.
CSV / JSON export on demand
Admins can export the full audit log at any time in CSV or JSON format β no support request needed.
Monitoring & incident response
Error tracking
Production errors are captured in Sentry with full stack traces and context. Alert thresholds are configured for error-rate spikes and SSO callback failures.
Product observability
Key flows (authentication, notification delivery, billing events) are instrumented in PostHog. Anomaly detection is in place for notification delivery failures.
Incident response
We maintain runbooks for known failure categories. In the event of a data breach or security incident, affected customers will be notified within 72 hours.
Data handling
Where your data lives, how itβs processed, and how long itβs kept.
Data location
United States (Neon Postgres / AWS us-east-1)
Backups
Continuous point-in-time recovery via Neon (30-day default)
Data stored
Account info, organization settings, reminders, notification history, audit logs
Third-party processors
Neon (database), Vercel (compute), Resend (email), Stripe (billing), Sentry (errors), PostHog (analytics)
Deletion
Organizations are soft-deleted, then permanently purged after 30 days. All associated data is removed on purge.
Export
Admins can export reminder data (CSV) and audit logs (CSV/JSON) at any time from Settings.
Compliance posture
Where we stand today
We are a pre-SOC 2 company. Our infrastructure providers (Vercel, Neon) hold SOC 2 Type II and ISO 27001. We follow OWASP security best practices, implement audit logging and retention controls, and are working toward a formal compliance certification.
Enterprise checklist
For security questionnaires
Responsible disclosure
If youβve found a potential vulnerability, we want to know. Hereβs how the process works.
Email us
Send your report to security@remindersforteams.com with a description of the vulnerability, steps to reproduce, and potential impact.
We acknowledge within 48 hours
We'll confirm receipt and begin investigating. We may follow up with questions.
We fix and notify you
We'll keep you updated on our progress and let you know when the issue is resolved.
Coordinated disclosure
We ask that you give us at least 90 days before public disclosure. We're happy to credit you in release notes if you'd like.
Report vulnerabilities to security@remindersforteams.com
PGP key available on requestSecurity questions
Have a security questionnaire or want to discuss our infrastructure in more detail?
security@remindersforteams.comLegal & privacy requests
For data processing agreements, GDPR requests, or legal inquiries:
privacy@remindersforteams.comReady to get started?
No credit card required Β· Cancel anytime