Security posture and compliance strategy
Security requirements vary by buyer segment. This page separates current operating status from potential compliance paths so buyers and internal teams can make decisions from factual ground.
Current Status (April 27, 2026)
SOC 2 Attestation
Not currently active/published
A SOC report is not currently presented on this site.
Questionnaire Support
Available during sales process
Structured procurement responses can be prepared per opportunity (CAIQ/SIG style where required).
Deployment Model
Project-scoped
Cloud and local/on-prem deployment patterns can be scoped to buyer security requirements.
Public Trust Artifacts
Limited public publication
Detailed evidence packages are handled directly during security review and commercial discussions.
Report a Vulnerability
If you find a security issue in the website, API routes, checkout flow, admin intake, or support-ticket CSV/report path, report it privately instead of opening a public GitHub issue.
juan@juancanfield.comSafe report contents
Include the affected URL or route, reproduction steps using non-sensitive test data, and the expected impact. Remove secrets, payment data, customer CSV content, and private tokens from screenshots or logs.
A standard disclosure pointer is also available at /.well-known/security.txt.
Practical Compliance Options
Option A: Focus on non-SOC2-gated customers
Prioritize fast-close buyers who accept strong security controls and review evidence without requiring immediate SOC 2 attestation.
Best when speed and near-term revenue are higher priority than enterprise procurement access.
Option B: Bridge with security package + questionnaires
Use a structured security package (architecture, controls summary, questionnaire responses) to satisfy buyers that do not require immediate formal attestation.
Best when many deals need assurance depth but can tolerate staged compliance.
Option C: Start staged SOC 2 pathway
Invest in scoped controls and audit preparation, then execute formal attestation milestones for enterprise-heavy pipeline segments.
Best when strategic pipeline is repeatedly blocked by SOC 2 requirements.
Buyers without immediate SOC 2 gate
Use controlled architecture, questionnaire responses, and explicit security scope in contract language to move quickly while maintaining credibility.
Recommended when close speed is the primary constraint.
Buyers with mandatory SOC 2 procurement
Treat these as planned compliance investments. Set expectation on audit path, timing, and commercial checkpoints before heavy pre-sales effort.
Recommended only when account value justifies compliance overhead.
Resolution Audit CSV Data Safety
When you upload ticket logs for a Support Deflection gap analysis, we keep the flow narrow: direct private storage, deterministic processing, browser CSV minimization, backend redaction for supported report-output PII patterns, and bounded cleanup for uploaded files.
1. Private Direct Storage
Your CSV is uploaded directly from your browser to Vercel Blob private storage. The file does not reside on public routes or transient app servers, and only our authenticated backend can read it using secure signed tokens.
2. Bounded 30-Day Retention
Uploaded CSV ticket exports and local submission records are deleted after 30 days by the portfolio cleanup path. Generated report data is handled by the downstream report-processing system rather than by the cleanup job on this page.
3. Deterministic Clustering
The report path uses deterministic parsing to analyze repeating themes. Raw ticket logs, subject lines, and description fields are not used for model training, fine-tuning, or third-party LLM clustering.
4. Browser + Backend PII Controls
Before upload, the intake interface minimizes common contact identifiers in the CSV body, including emails, formatted phone numbers, and IP addresses. The downstream report pipeline redacts supported PII patterns from generated Snapshot and report outputs before storage or delivery. This does not guarantee removal of every name, account number, or free-text identifier, and upload stops if the CSV cannot be safely decoded.
5. Baseline Encryption
Traffic runs over HTTPS, and stored blobs and relational database records rely on the managed encryption controls provided by the underlying Vercel Blob and database services.
6. Stateless Compute
Intake parsing and API handling run on stateless serverless functions. There are no long-running virtual machines with persistent local disks that could orphan or leak uploaded files.
Buyer Qualification Checklist
Use these gates in discovery before solution design, proposal effort, or security review deep-dives.
Is SOC 2 Type 2 mandatory before contract signature?
IF YES
Route to enterprise lane. Set timeline expectations early.
IF NO
Proceed with standard security review package and technical scoping.
Will a Type 1 report plus roadmap satisfy procurement for phase one?
IF YES
Use staged compliance path with clear delivery dates.
IF NO
Either defer deal or scope a non-production pilot only.
Do they accept questionnaire + evidence pack as interim assurance?
IF YES
Proceed with CAIQ/SIG style responses and controls walkthrough.
IF NO
Treat as SOC-locked account and price in compliance effort.
Is this account strategic enough to justify compliance spend?
IF YES
Prioritize and include compliance cost in go-to-market plan.
IF NO
Disqualify early and keep focus on faster-close segments.
Claims are limited to controls and attestations currently in force. Questionnaire and architecture evidence can support review, but they are not a replacement for an independent SOC report.
Need a security-first engagement plan?
Start with a Systems Audit. We can define technical scope, risk boundaries, and the right compliance lane before committing to build effort.