How we protect what you build with us.
We own the stack, we run small, we document everything. Security here is operational, not theatrical.
Encryption
- TLS 1.3 everywhere — Let's Encrypt with Caddy auto-renewal.
- At-rest disk encryption on every host (DigitalOcean managed Postgres + droplet block volumes).
- Secrets stored in mode-600 .env files on the droplet, never in git, never in chat logs.
Access control
- SSH key-only on every host. Password auth disabled.
- Per-engagement deploy keys. Revocable, scoped, audited.
- Studio admin actions gated behind Supabase magic-link auth with RLS.
Backups & recovery
- Managed Postgres: point-in-time recovery to any second in the last 7 days.
- Application containers are stateless — rebuild from git + env in under 5 min.
- Customer DB exports available on request, 24h SLA, no extra cost.
Incident response
- All production errors stream to a single channel watched by the founder.
- 48-hour acknowledgment SLA on any vulnerability report.
- Postmortem written and shared with affected client within 5 business days.
Customer data lives on infrastructure we own. For each engagement we provision either a dedicated DigitalOcean managed Postgres cluster or a Supabase project — your data sits in one place, not smeared across SaaS dashboards we don't control.
Tenants are segregated by database row (Row-Level Security on Supabase) or by separate database cluster (DigitalOcean engagements). We don't multiplex client data into a shared schema.
Retention defaults to the lifetime of the engagement plus 30 days for handoff. Deletion-on-request honored within 14 days. Exports provided in standard SQL dump or CSV.
US (NYC3 + us-west-1 by default). EU residency available on request — no surcharge, +1 week setup.
Every vendor that may touch client data. Updated when the list changes — review the GitHub history if you need a paper trail.
| Vendor | Purpose | Region | DPA |
|---|---|---|---|
| DigitalOcean | Application hosting + managed Postgres | US (NYC3) | DPA → |
| Supabase | Auth + portal Postgres + storage | US (us-west-1) | DPA → |
| Resend | Transactional email + audience lists | US (us-east-1) | DPA → |
| Stripe | Payments + subscription billing | US (global) | DPA → |
| Cloudinary | Image storage + delivery CDN (where used) | Global | DPA → |
| Anthropic | AI inference (where the engagement uses agents) | US | DPA → |
| OpenAI | AI inference (alternate provider) | US | DPA → |
| GitHub | Source control + private repos | US | DPA → |
SOC 2 Type I
Roadmap — not certified.
We follow the controls. We have not yet completed the audit.
GDPR + CCPA
Practiced.
Data minimization, deletion-on-request, sub-processor disclosure (this page).
HIPAA / PCI / ISO 27001
Not applicable.
We don't take engagements requiring these. Tell us if yours does.
Email security@guruboxztech.com with reproduction steps. We acknowledge within 48 hours and respond with a remediation plan within 5 business days. We don't run a paid bounty — but we credit researchers publicly on this page if you want it.
Send a security questionnaire →