Security
In Plain English
This page explains how we protect the Service and your data. We use encryption, access controls, logging, and monitoring, but no system is perfectly secure. The Service is not zero-knowledge, which means authorized personnel may be able to access certain data when needed for support, operations, legal compliance, or security.
Security
Last updated: June 9th, 2026
Security is a core part of the Service. We use administrative, technical, and organizational safeguards designed to protect customer data, but no system is perfectly secure.
Table of Contents
- Our security approach
- Encryption
- Important note
- Access control
- Infrastructure
- Monitoring and logging
- Incident response
- Responsible disclosure
- Questions
Our security approach
We use layered security controls, including:
- encryption at rest
- encrypted transport for network traffic
- access control and least-privilege permissions
- logging and monitoring
- key management practices
- operational review and incident response procedures
Encryption
Sensitive data is encrypted at rest using cloud provider and application-layer controls. Some documents are stored in S3 with SSE-KMS, and certain sensitive fields are encrypted using application-managed keys.
Important note
The Service is not zero-knowledge. Authorized personnel with appropriate permissions may be able to access certain data for support, operations, legal compliance, or security purposes.
Access control
We limit access to systems and data through role-based permissions, MFA, and review of operational access. Production systems are protected by access restrictions and audit logging.
Infrastructure
Our production environment currently uses AWS-based infrastructure, including services such as ECS, EventBridge, CloudFront, RDS, S3, and related security tooling.
Monitoring and logging
We monitor application activity, error signals, and infrastructure events to help detect bugs, abuse, and security issues.
Incident response
We have an incident response process that is currently in progress and being formalized. If a security incident affects your data, we will handle it consistent with applicable law and our contractual obligations.
Responsible disclosure
If you believe you have found a security issue, contact us at [insert security email]. We may also publish a security.txt file at /.well-known/security.txt for standard disclosure handling.
Questions
For security questions, contact security@myconstellationplan.com