SECURITY & COMPLIANCE

Security posture and compliance strategy

Security requirements vary by buyer segment. This page separates current operating status from potential compliance paths so buyers and internal teams can make decisions from factual ground.

Current Status (April 27, 2026)

SOC 2 Attestation

Not currently active/published

A SOC report is not currently presented on this site.

Questionnaire Support

Available during sales process

Structured procurement responses can be prepared per opportunity (CAIQ/SIG style where required).

Deployment Model

Project-scoped

Cloud and local/on-prem deployment patterns can be scoped to buyer security requirements.

Public Trust Artifacts

Limited public publication

Detailed evidence packages are handled directly during security review and commercial discussions.

Report a Vulnerability

If you find a security issue in the website, API routes, checkout flow, admin intake, or support-ticket CSV/report path, report it privately instead of opening a public GitHub issue.

juan@juancanfield.com

Safe report contents

Include the affected URL or route, reproduction steps using non-sensitive test data, and the expected impact. Remove secrets, payment data, customer CSV content, and private tokens from screenshots or logs.

A standard disclosure pointer is also available at /.well-known/security.txt.

Practical Compliance Options

PATH OPTION

Option A: Focus on non-SOC2-gated customers

Prioritize fast-close buyers who accept strong security controls and review evidence without requiring immediate SOC 2 attestation.

Best when speed and near-term revenue are higher priority than enterprise procurement access.

PATH OPTION

Option B: Bridge with security package + questionnaires

Use a structured security package (architecture, controls summary, questionnaire responses) to satisfy buyers that do not require immediate formal attestation.

Best when many deals need assurance depth but can tolerate staged compliance.

PATH OPTION

Option C: Start staged SOC 2 pathway

Invest in scoped controls and audit preparation, then execute formal attestation milestones for enterprise-heavy pipeline segments.

Best when strategic pipeline is repeatedly blocked by SOC 2 requirements.

FAST-CLOSE LANE

Buyers without immediate SOC 2 gate

Use controlled architecture, questionnaire responses, and explicit security scope in contract language to move quickly while maintaining credibility.

Recommended when close speed is the primary constraint.

ENTERPRISE LANE

Buyers with mandatory SOC 2 procurement

Treat these as planned compliance investments. Set expectation on audit path, timing, and commercial checkpoints before heavy pre-sales effort.

Recommended only when account value justifies compliance overhead.

Resolution Audit CSV Data Safety

When you upload ticket logs for a Support Deflection gap analysis, we keep the flow narrow: direct private storage, deterministic processing, browser CSV minimization, backend redaction for supported report-output PII patterns, and bounded cleanup for uploaded files.

1. Private Direct Storage

Your CSV is uploaded directly from your browser to Vercel Blob private storage. The file does not reside on public routes or transient app servers, and only our authenticated backend can read it using secure signed tokens.

2. Bounded 30-Day Retention

Uploaded CSV ticket exports and local submission records are deleted after 30 days by the portfolio cleanup path. Generated report data is handled by the downstream report-processing system rather than by the cleanup job on this page.

3. Deterministic Clustering

The report path uses deterministic parsing to analyze repeating themes. Raw ticket logs, subject lines, and description fields are not used for model training, fine-tuning, or third-party LLM clustering.

4. Browser + Backend PII Controls

Before upload, the intake interface minimizes common contact identifiers in the CSV body, including emails, formatted phone numbers, and IP addresses. The downstream report pipeline redacts supported PII patterns from generated Snapshot and report outputs before storage or delivery. This does not guarantee removal of every name, account number, or free-text identifier, and upload stops if the CSV cannot be safely decoded.

5. Baseline Encryption

Traffic runs over HTTPS, and stored blobs and relational database records rely on the managed encryption controls provided by the underlying Vercel Blob and database services.

6. Stateless Compute

Intake parsing and API handling run on stateless serverless functions. There are no long-running virtual machines with persistent local disks that could orphan or leak uploaded files.

Buyer Qualification Checklist

Use these gates in discovery before solution design, proposal effort, or security review deep-dives.

Is SOC 2 Type 2 mandatory before contract signature?

IF YES

Route to enterprise lane. Set timeline expectations early.

IF NO

Proceed with standard security review package and technical scoping.

Will a Type 1 report plus roadmap satisfy procurement for phase one?

IF YES

Use staged compliance path with clear delivery dates.

IF NO

Either defer deal or scope a non-production pilot only.

Do they accept questionnaire + evidence pack as interim assurance?

IF YES

Proceed with CAIQ/SIG style responses and controls walkthrough.

IF NO

Treat as SOC-locked account and price in compliance effort.

Is this account strategic enough to justify compliance spend?

IF YES

Prioritize and include compliance cost in go-to-market plan.

IF NO

Disqualify early and keep focus on faster-close segments.

Claims are limited to controls and attestations currently in force. Questionnaire and architecture evidence can support review, but they are not a replacement for an independent SOC report.

Need a security-first engagement plan?

Start with a Systems Audit. We can define technical scope, risk boundaries, and the right compliance lane before committing to build effort.