// security

Security

How we protect the systems we build and the data they hold.

Encryption

All data encrypted at rest using AWS-managed keys (AES-256)
All data in transit encrypted via TLS 1.2+ (enforced at the load balancer and API layer)
S3 bucket encryption enforced by bucket policy — no unencrypted uploads accepted

Secrets management

Application secrets stored in AWS Secrets Manager — never in environment variables or code
Secrets rotated on a schedule; access logged via CloudTrail
No credentials committed to version control — enforced by pre-commit hooks and CI checks

Access control

AWS Cognito with MFA required for all customer-facing authentication
IAM roles follow least-privilege — no wildcards on production resources
Root account access disabled; all access via named IAM users with MFA
SCPs applied at the AWS Organization level to prevent privilege escalation

Audit logging

AWS CloudTrail enabled in all regions with multi-region trail and log file validation
Application-level audit events logged to CloudWatch Logs with 90-day retention
Logs are immutable — stored in a separate account with write-once policy

Availability and backups

DynamoDB Point-in-Time Recovery (PITR) enabled — restores to any second in the last 35 days
Weekly cross-account backup snapshots stored in a separate AWS account
Infrastructure defined as code (CDK) — full environment can be reproduced from source control
Region: us-east-1 (enforced by SCP on Unnamed OU)

Compliance posture

Unnamed Corp is not currently SOC 2 certified. SOC 2 Type II is on our 12-month roadmap. We build with SOC 2 controls in mind from day one so that certification is an audit, not a rebuild.

We follow AWS Well-Architected Framework principles across all five pillars: operational excellence, security, reliability, performance efficiency, and cost optimization.

Subprocessors

We use the following third-party services in the operation of the platform. We notify customers of material subprocessor changes with at least 30 days notice.

Subprocessor	Purpose	Privacy policy
Amazon Web Services (AWS)	Cloud infrastructure, compute, storage, database, email (SES)	View →
Stripe	Payment processing	View →
Amazon Cognito	User authentication and MFA	View →
Cal.com	Discovery call scheduling	View →
PostHog	Product analytics (privacy-preserving, no PII in events)	View →
Sentry	Error monitoring	View →

Security documentation

Request our full security packet — architecture diagrams, control mappings, and penetration test summaries.

Request security packet

Availability and backups

DynamoDB Point-in-Time Recovery (PITR) enabled — restores to any second in the last 35 days

Weekly cross-account backup snapshots stored in a separate AWS account

Infrastructure defined as code (CDK) — full environment can be reproduced from source control

Region: us-east-1 (enforced by SCP on Unnamed OU)

Compliance posture

Unnamed Corp is not currently SOC 2 certified. SOC 2 Type II is on our 12-month roadmap. We build with SOC 2 controls in mind from day one so that certification is an audit, not a rebuild.

We follow AWS Well-Architected Framework principles across all five pillars: operational excellence, security, reliability, performance efficiency, and cost optimization.

Subprocessors

We use the following third-party services in the operation of the platform. We notify customers of material subprocessor changes with at least 30 days notice.

Subprocessor	Purpose	Privacy policy
Amazon Web Services (AWS)	Cloud infrastructure, compute, storage, database, email (SES)	View →
Stripe	Payment processing	View →
Amazon Cognito	User authentication and MFA	View →
Cal.com	Discovery call scheduling	View →
PostHog	Product analytics (privacy-preserving, no PII in events)	View →
Sentry	Error monitoring	View →