We handle the financial work of people who handle real money. That comes with a duty to protect the deals, documents, and identities that pass through our system.
This page is the short version. For the details auditors ask for — SOC 2 readiness, vendor questionnaire responses, penetration test summaries — email security@ibcopilot.ai and we'll share under NDA.
Transparency note
We're a small, growing company. We tell you exactly what we do and don't do. If a control isn't listed below, we don't claim it. No marketing adjectives, no "military-grade."
Every byte of your data is encrypted while it moves across the network and while it rests on our servers. Sensitive fields get an extra layer of application-level encryption so that even a full database dump is useless without our rotating encryption key.
TLS 1.3 in transit
All API and web traffic served over HTTPS with HSTS enforced. No HTTP fallback.
AES-128 encryption at rest
Database volumes encrypted by our infrastructure provider (Railway) plus application-level Fernet encryption (cryptography library) on MFA secrets and password reset tokens.
Hashed credentials
Passwords stored with bcrypt (work factor 12). Password reset tokens stored as SHA-256 hashes, not plaintext.
Encryption key rotation
Documented rotation procedure with a migration window that supports reading rows encrypted under the prior key.
No stored payment data
All payment information is held by Stripe (PCI DSS Level 1 service provider). We never see or store card numbers.
Multiple layers stop an attacker from getting in — and if one slips through, short-lived sessions and a revocation mechanism limit the damage window.
Strong password policy
Minimum 12 characters, blocklist of common breached passwords, optional HIBP check.
Brute-force lockout
Accounts lock automatically after 10 failed attempts in 15 minutes. Admins are notified via audit log.
Rate limiting
Tight per-IP and per-account caps on login, registration, password reset, and other auth endpoints.
Two-factor authentication
TOTP-based 2FA (Google Authenticator, 1Password, Authy) with one-time backup codes for recovery.
Short-lived tokens
JWT access tokens expire in 24 hours. Password changes instantly invalidate every outstanding session.
Enumeration prevention
Signup and password-reset responses don't reveal whether an email address is registered.
Our workspace model uses role-based access control. You decide who sees what on your team; nobody outside your workspace — including us — reads your deals.
Role-based access (RBAC)
Owner, admin, member, viewer roles at the workspace level. Scoped permissions on every deal and template.
Least-privilege internal access
Production database access is restricted to the founder. No shared credentials; no standing vendor access.
Audit log
Every security-relevant action (login, role change, workspace invite, billing event) is logged immutably with actor, IP, timestamp. Admins can export the full log as CSV.
Single-customer isolation
All queries are scoped by user_id and workspace_id. No shared state that could leak across tenants.
We build on vetted infrastructure providers that themselves hold SOC 2 Type II certifications. Full list of the services that process customer data on our behalf:
Subprocessor list is reviewed before any new vendor is added. Enterprise customers can request 30 days' notice before material changes.
24/7 uptime monitoring
5-minute interval checks on production endpoints; email alerts on any unreachable state.
Real-time error tracking
Sentry notifies the on-call within 60 seconds of any unhandled exception. PII is scrubbed before events leave our servers.
Immutable audit log
1-year retention of every authentication, authorization, and admin event. Queryable by admins.
Log redaction
Runtime filter strips API keys, JWT tokens, passwords, and other secrets from log output before it reaches our logging provider.
Automated security scanning
Weekly dependency vulnerability scans (pip-audit, npm audit, Dependabot) and static analysis (Bandit, Semgrep, TruffleHog) on every commit.
Incident response
Documented playbook for triage, customer notification, and post-mortem. We commit to notifying affected customers within 72 hours of confirming an incident.
GDPR — right of access (Art. 15)
Every user can export their data as a structured JSON archive at any time from /settings/privacy.
GDPR — right to erasure (Art. 17)
Every user can permanently delete their account and associated data from /settings/privacy. Completes within seconds; confirmation email sent.
CCPA compliance
Same export and deletion rights available to California residents. Contact support@ibcopilot.ai for any non-self-serve requests.
Data residency
All primary data stored in US-East regions. We can discuss EU-resident deployments for enterprise customers.
SOC 2 Type II readiness
Currently pre-audit. Internal gap analysis available under NDA. Target: SOC 2 Type I report by end of Q3, Type II by end of year.
Data retention
Audit logs: 1 year. Login attempts: 30 days. Expired reset tokens: purged after 7 days. Account data: until you delete the account.
Daily automated backups
Managed Postgres snapshots retained for 7 days; optional weekly off-site dumps to secondary storage.
Documented restore procedure
Runbook covers dry-run restore, production restore, and encryption-key rotation.
Multi-region hosting
Infrastructure provider runs across multiple availability zones; single-region failure does not take down the service.
Found a security issue? We appreciate the heads up — we're a small team and every disclosure makes us stronger. Read our coordinated disclosure policy for scope, safe-harbor language, and response SLAs.
Email: security@ibcopilot.ai
PGP: available on request
Response SLA: initial acknowledgment within 2 business days, status update within 5
Last updated: April 2026
Machine-readable contact: /.well-known/security.txt