PentStark
Trust · Security

Security posture.

Our engineering, operational, and infrastructure controls, in the open.

Transport & HTTP

  • TLS 1.3 only, HSTS preload enabled.
  • Strict Content-Security-Policy with nonce-based script controls.
  • X-Content-Type-Options: nosniff, X-Frame-Options: DENY.
  • Referrer-Policy: strict-origin-when-cross-origin.
  • Permissions-Policy restricts camera, microphone, geolocation, FLoC.
  • Subresource Integrity (SRI) for third-party assets.

Authentication

  • Clerk for customer auth with MFA enforced.
  • SSO (SAML / OIDC) for enterprise tenants.
  • Hardware keys (WebAuthn) required for operator accounts.
  • Session rotation on privilege change.

Data handling

  • Customer data encrypted at rest (AES-256) and in transit (TLS 1.3).
  • Per-engagement tenant isolation.
  • Retention: findings purged 90 days after engagement close (configurable).
  • No production data used in development environments.

SDLC & operations

  • All changes behind peer review + signed commits.
  • SAST (Semgrep, CodeQL), SCA (Snyk, Dependabot), IaC scanning (Checkov, tfsec).
  • Secret scanning (gitleaks) in CI + pre-commit.
  • Threat models updated per release for every high-risk system.
  • Annual third-party penetration test.

Infrastructure

  • Marketing site on Vercel with automatic DDoS protection.
  • Application infrastructure on AWS, multi-AZ, least-privilege IAM.
  • Centralized logging with tamper-evident storage.
  • 24/7 pager rotation for security-critical alerts.

Security contacts