Security Controls
This page documents the existence and nature of our security controls. Internal-sensitive implementation details are omitted. For a full security briefing, contact james@trystereos.com.
Access Control Policy
Access to production systems follows least-privilege principles. All internal team members are provisioned with role-appropriate access. Access is reviewed quarterly and revoked immediately upon offboarding. No shared credentials are used for production systems.
MFA Enforcement
Multi-factor authentication is enforced for all internal accounts including Google Workspace, GitHub, Cloudflare, Vercel, and Neon. Passkey and TOTP methods are supported. MFA cannot be bypassed for production access.
RBAC Implementation
The Stereos platform implements role-based access control with three tiers: admin, manager, and user. Permissions are scoped by role and enforced server-side on every request. Customers can assign roles to team members independently.
Secret Management
Secrets are managed via environment variables in Vercel and Cloudflare Workers — never committed to source code. API keys are rotated on a scheduled basis. All keys are stored encrypted at rest by the respective platform providers.
Logging & Monitoring
Application errors and anomalies are monitored via PostHog and server-side logging. Cloudflare provides edge-level request logging and anomaly detection. Alerts are configured for unusual traffic patterns, authentication failures, and error rate spikes.
Incident Response
Security incidents are triaged within 24 hours of detection. Affected customers are notified within 72 hours of a confirmed breach. Our incident response process includes root cause analysis, containment, remediation, and post-mortem documentation.
Change Management
All code changes require pull request review before merging to main. Production deployments are triggered via CI/CD pipeline on Vercel. Database schema changes are applied via reviewed migration scripts. No direct production database edits are permitted.