Security overview
Security at The Art of CTO
How we protect customer data, the controls we operate, and how to report a vulnerability. Designed to answer the questions a procurement or risk team is going to ask.
Last reviewed: May 2026 · Owner: security@theartofcto.com
At a glance
- Defence in depth. Authentication, CSRF, rate limiting, input validation, output encoding, and security headers — controls layered, not stacked.
- Least privilege. Admin endpoints gated by role; internal worker endpoints gated by signed tokens; secrets scoped per-environment.
- Aligned to ISO 27001 / SOC 2 principles. We operate to the controls; we are not currently independently audited. We are transparent about that gap. See Compliance & alignment.
- No card data on our systems. All payments routed through Stripe (PCI DSS Level 1). We never see, transmit, or store full card numbers.
- Disclosure path. Email security@theartofcto.com for vulnerability reports. Acknowledged within 24 hours.
- Procurement-ready answers. Our CAIQ-aligned security questionnaire answers 50+ standard questions in CAIQ v4 format — extract directly into your vendor risk register.
- Live security status. The security status dashboard publishes the current state of every automated control we run — vulnerability scans, DAST/SAST tools, header validators, certificate-transparency monitors, accessibility scans. Updated continuously from CI; no operator gating.
Application security
Authentication
OAuth 2.0 + OIDC via Auth0 with JWT signature verification (JWKS). Session cookies are AES-GCM encrypted; HttpOnly, Secure, SameSite=Lax.
CSRF protection
Double-submit cookie pattern on every state-changing endpoint. Token bound to session; mismatched tokens reject with 403 before handler dispatch.
Webhook signature verification
Stripe webhooks verified via HMAC-SHA256 with timing-safe compare and 5-minute timestamp tolerance. Idempotent event handling via a dedicated processed-events ledger to defend against replay.
Input validation
Zod schema validation at every API boundary. Bounded string fields. JSONB payload sizes capped to prevent log abuse.
Rate limiting
Sliding-window rate limiter per endpoint backed by Cloudflare KV. Stricter limits on auth, payment, and contact endpoints. Per-IP abuse detection via honeypot paths.
XSS prevention
All user-supplied HTML sanitized server-side (script, iframe, object, embed, form, javascript: URIs all stripped). Trusted Types CSP enforced where supported.
SQL injection
Parameterised queries everywhere. No string concatenation into SQL. Validated by static analysis.
Secrets
Stored in Cloudflare Workers Secrets and GitHub Actions secrets. Never committed to git; pre-commit pattern checks block accidental exposure.
PII redaction
Server logs run through a sanitiser that masks emails, phone numbers, SSNs, and credit-card patterns before they reach the log sink.
Infrastructure security
Edge runtime
Cloudflare Workers — V8 isolates, no shared filesystem, ephemeral by design. DDoS protection and WAF inherited from the Cloudflare network.
Encryption in transit
TLS 1.2+ enforced site-wide. HSTS with includeSubDomains and preload. Automatic certificate management via Cloudflare.
Encryption at rest
All Postgres databases (Neon) and object storage (R2) encrypted at rest. KMS-managed keys.
Database access
Application talks to Postgres only via Cloudflare Hyperdrive (TLS). No direct public Postgres exposure. Read/write separation where workload allows.
Backups
Daily automated snapshots; point-in-time recovery within the last 7 days. Cross-region replication for production data.
Network isolation
API and web are separate Workers; admin endpoints require an authenticated admin session and CSRF token. Internal endpoints (worker-to-worker) require a signed token, not user credentials.
Honeypot detection
20+ honeypot paths log bot scans to KV with a 30-day retention. Repeat offenders are rate-limited at the edge.
Data handling
What we collect. Account identity (email, name) via your identity provider; tool inputs and outputs you submit to the platform; telemetry on tool usage and conversion events to improve the product. We do not collect, sell, or share personal data with third parties for advertising.
Where it lives. Application data lives in Neon Postgres (encrypted at rest). Files and audio assets in Cloudflare R2. Logs and rate-limit state in Cloudflare KV. Payment data is held by Stripe — never by us.
How long we keep it. Account data retained for the lifetime of the account. After account deletion, primary records are removed within 30 days; backups roll over within 90 days. Audit and security logs retained for 12 months.
Your rights. You can request export or deletion of your data at any time by emailing privacy@theartofcto.com. We honour GDPR / UK GDPR access, rectification, erasure, and portability requests within 30 days.
Sub-processor changes. We notify customers of new sub-processors at least 30 days before they begin processing data. Customers may object during that window.
Sub-processors
Third parties that process customer data on our behalf. Each is engaged under a Data Processing Agreement and selected for its independent security attestation.
| Provider | Purpose | Region | Certifications |
|---|---|---|---|
| Cloudflare, Inc. | Edge delivery, DDoS, WAF, Workers runtime, R2 / KV / D1 storage | Global | ISO 27001, SOC 2 Type II, PCI DSS |
| Neon, Inc. | Managed Postgres (application data) | EU / US | SOC 2 Type II |
| Auth0 / Okta | Identity provider (OAuth 2.0 / OIDC) | Global | ISO 27001, SOC 2 Type II, ISO 27018 |
| Stripe, Inc. | Payment processing (we never store card data) | Global | PCI DSS Level 1, SOC 2 |
| Brevo (Sendinblue) | Transactional + marketing email delivery | EU | GDPR / ISO 27001 |
| ElevenLabs | Text-to-speech for Daily Sync audio | US | SOC 2 Type II |
| OpenAI, Anthropic | AI inference for content generation + assistant | US | SOC 2 Type II |
| Sentry (Functional Software) | Error tracking + performance monitoring | US / EU | SOC 2 Type II, ISO 27001 |
Compliance & alignment
Honest framing. The Art of CTO is operated to the principles of ISO 27001:2022 and SOC 2 Type II. We have implemented controls across the relevant Annex A families, but we are not currently audited or certified by an independent third party. We list the gap transparently — pretending otherwise would be a control failure in itself. Independent attestation is on our roadmap; in the meantime, the table below shows what we operate today.
Standards we map to. ISO 27001:2022 (Annex A) · SOC 2 Type II Trust Services Criteria (Security, Availability, Confidentiality) · GDPR / UK GDPR · CCPA. PCI DSS scope is fully delegated to Stripe.
Documents available on request. Data Processing Agreement (DPA) · Sub-processor list (live in this page) · Information security policy · Incident response policy · Vulnerability disclosure policy · Penetration test summary (most recent). Email security@theartofcto.com.
ISO 27001:2022 Annex A — controls we operate
| Annex | Control family | What we do |
|---|---|---|
| A.5 | Information security policies | Security policy reviewed annually; published policies for incident response, vulnerability disclosure, and acceptable use. |
| A.6 | Organisation of information security | Defined roles and responsibilities; security@theartofcto.com as a single intake for all reports. |
| A.7 | Human resource security | Access provisioned on a need-to-know basis; offboarding revokes credentials within 24h. |
| A.8 | Asset management | Inventory of data stores, sub-processors, and binding configurations under version control. |
| A.9 | Access control | OAuth 2.0 / OIDC authentication via Auth0; AES-GCM encrypted sessions with PBKDF2 key derivation; CSRF double-submit cookies on state-changing endpoints; role-based access for admin features. |
| A.10 | Cryptography | TLS 1.2+ for all external traffic; HSTS preload; AES-GCM session encryption; HMAC-SHA256 webhook signature verification (Stripe); secrets managed via Cloudflare Workers Secrets, never committed. |
| A.11 | Physical & environmental | Inherited from sub-processors (Cloudflare, Neon, Auth0). All run physically secure datacenters with ISO 27001 attestation. |
| A.12 | Operations security | Automated dependency scanning (Dependabot, npm audit, retire.js); CodeQL static analysis on every pull request; daily security scans; structured logging with PII redaction (email, phone, SSN, card-number patterns). |
| A.13 | Communications security | Comprehensive CSP Level 2 with explicit allowlists; X-Frame-Options DENY; X-Content-Type-Options nosniff; Referrer-Policy strict-origin-when-cross-origin; environment-aware CORS origin validation. |
| A.14 | System acquisition, development & maintenance | PR-blocking unit + integration tests; mandatory pre-merge lint + typecheck + build; security review for changes touching authentication, payments, or PII handling. |
| A.15 | Supplier relationships | Sub-processor list (below) maintained and disclosed; only providers with SOC 2 / ISO 27001 attestation engaged for data-handling roles. |
| A.16 | Information security incident management | Sentry-instrumented detection; documented incident response runbook; security@theartofcto.com 24h intake commitment; user notification within 72h of confirmed incident affecting their data (GDPR Article 33). |
| A.17 | Business continuity | Multi-region replication via Cloudflare and Neon; daily database backups with point-in-time recovery; disaster recovery exercises performed prior to each major release. |
| A.18 | Compliance | GDPR / UK GDPR — DPA available on request, data export and deletion endpoints. CCPA — same. Vulnerability disclosure policy at /security#disclosure. Annual review of legal obligations. |
Vulnerability disclosure
We welcome reports from the security research community. Email security@theartofcto.com with details. PGP key available on request.
Our commitment to you:
- We acknowledge every report within 24 hours.
- We provide a tentative remediation timeline within 5 business days.
- We will not pursue legal action against good-faith researchers who follow this policy.
- We credit reporters publicly (with consent) in release notes.
In return, please:
- Avoid privacy violations, data destruction, denial-of-service, and physical attacks.
- Test only on accounts you own or have explicit written permission to test on.
- Give us reasonable time to remediate before public disclosure.
Out of scope: rate limits on documentation pages, content security policy reports without an exploitable vector, social engineering of staff, theoretical issues without proof of concept, missing security headers without a demonstrated attack.
Contact
- Security: security@theartofcto.com — vulnerabilities, audit requests, security questionnaires.
- Privacy / data rights: privacy@theartofcto.com — GDPR / CCPA requests, DPA copies.
- Legal: legal@theartofcto.com.
We respond within 1 business day to procurement and security questionnaires from prospective customers.