Security

Backbone ships software you own and operate. Our security posture covers two surfaces: this marketing site, and the production platforms we hand off to clients.

This site

• HTTPS-only with HSTS (max-age 2y, includeSubDomains, preload).
• Content-Security-Policy locked down to known third-party origins.
• X-Frame-Options DENY, X-Content-Type-Options nosniff, strict Referrer-Policy.
• Permissions-Policy disables camera, microphone, geolocation, and ad-cohort APIs.
• Form submissions server-validated (Zod) and rate-limited (Upstash).
• Cloudflare Turnstile defends the signup form when configured.
• No secrets in the client bundle — CI runs gitleaks on every commit.
• Dependabot weekly + GitHub CodeQL scanning every push and weekly.
• Sentry captures unhandled errors with PII scrubbing and input masking on replays.

Builds we ship to clients

• Deployed to your Vercel, Supabase, Stripe, Resend, and GitHub accounts — your credit card, your domain. We hold collaborator access only.
• Supabase Row Level Security enabled on every user-facing table by default. Service-role keys never touch the browser.
• Edge functions use Vault-backed secret rotation patterns.
• Audit log of internal admin actions wired in by default; you decide who keeps access after handoff.
• We use Anthropic, OpenAI, or any LLM only with your written approval and only on de-identified data.

Reporting a vulnerability

Email security@backbonestudio.co with steps to reproduce. We acknowledge within 24 hours and patch critical issues within 7 days. Please don't test on live client production infrastructure — we're happy to spin up a sandbox.

Compliance posture

We are not SOC 2 certified at this stage; we are a two-person studio. We can sign mutual NDAs and align to your security questionnaire on a per-engagement basis.