Detailed breakdown of DMHub's technical and organizational security controls. Reviewed quarterly by engineering leadership and updated when controls change.
Encryption at rest
All data stored in Neon Postgres and Cloudflare R2 is encrypted at rest using AES-256.
ImplementedEncryption in transit
All traffic is served over TLS 1.3. HSTS is enforced with a 1-year max-age.
ImplementedSecrets management
API keys and credentials are stored in 1Password Teams and injected via environment variables at runtime. No secrets are hardcoded.
ImplementedIntegration credential encryption
Third-party integration credentials (WhatsApp tokens, Twilio keys) are encrypted at rest using AES-256-GCM before database storage.
ImplementedMulti-factor authentication
TOTP-based 2FA available for all user accounts. Required for admin roles.
ImplementedRole-based access control (RBAC)
Granular roles: Owner, Admin, Agent, Viewer. API and UI enforce role checks on all data access.
ImplementedSingle sign-on (SSO)
SAML 2.0 / OIDC SSO in development for enterprise plan customers.
In progressSession management
Sessions expire after inactivity. Tokens are rotated on re-authentication. All sessions can be revoked by the account owner.
ImplementedAudit log
All administrative and data-access actions are written to an immutable audit log with actor, timestamp, and IP.
ImplementedError monitoring
Sentry captures all server-side exceptions with full stack traces. Alerts are routed to the on-call engineer.
ImplementedUptime monitoring
Health checks run every 60 seconds across database, cache, payments, and real-time subsystems. Status is published at /status.
ImplementedRate limiting
Upstash Redis-backed rate limiting on all public API endpoints, authentication routes, and data-export APIs.
ImplementedDependency management
Renovate Bot opens weekly PRs to update dependencies. All packages pinned to exact versions to prevent supply-chain drift.
ImplementedStatic analysis
ESLint with strict TypeScript rules runs in CI. `any` types and `@ts-nocheck` are banned. Pull requests must pass before merge.
ImplementedResponsible disclosure program
Security researchers can report issues at security@dmhub.ai. See /legal/responsible-disclosure for scope and safe-harbor terms.
ImplementedIncident response plan
Documented runbooks for common failure modes. On-call rotation with 15-minute acknowledgment SLA.
ImplementedBreach notification
Affected users notified within 72 hours of confirmed breach, consistent with GDPR Article 33 obligations.
ImplementedDatabase backups
Neon Postgres provides continuous WAL streaming and point-in-time recovery (PITR) with 7-day retention.
ImplementedDisaster recovery
Application is deployed globally via Vercel Edge Network. Database failover is handled automatically by Neon.
ImplementedRedundancy
Critical services (database, cache, real-time) each have independent fallback paths to prevent single points of failure.
ImplementedQuestions about our security posture?
Enterprise prospects can request a completed security questionnaire (VSA/SIG/SIG Lite). Reach out and we'll respond within 2 business days.
security@dmhub.ai