SECURITY · ARCHITECTURE · COMPLIANCE

Built systems-first. Compliance is the default.

Every install is its own deploy — your domains, your DB, your keys. We never share a multi-tenant store. The bridge between install and ops is HMAC-signed with a 60-second replay window. Compliance posture below; everything links to a real document.

See the architecture Disclose a vulnerability

THE TOPOLOGY

One install, one deploy.

Marketing sits on Vercel. Each install runs on its own Render service, its own Postgres, its own Redis — wired to a separate ops control plane through a signed bridge. Breach radius is the install boundary by construction.

TLS 1.3 everywhereHMAC-SHA256 bridgeIsolated per install≤60s replay window

PRIMITIVES · SIX BUILDING BLOCKS

What we lean on.

Each item below maps to a line of code or a runbook. Click through to /legal for the full prose.

TLS

TLS 1.3 across every hop

Browser to marketing, marketing to install, install to ops — every edge runs TLS 1.3. HSTS preload is enabled on the apex domain. No mixed-content escape hatches.

AT-REST

Encryption at rest, Fernet-keyed

Postgres + Redis at rest are encrypted by the host (Render). Signing secrets are Fernet-encrypted with a per-install OPS_ENCRYPTION_KEY — separated from the SHA-256 verifier so a hash leak never yields a usable HMAC key.

ISOLATED

One install, one deploy, one DB

Each client gets their own Render service, Postgres, and Redis. There is no shared multi-tenant store. A breach radius starts and stops at the install boundary by construction.

BRIDGE

HMAC-signed phone-home, ≤60s replay window

Install ↔ ops traffic is SHA-256 HMAC-signed with rotating per-install secrets. Requests outside a 60-second timestamp window are rejected as replays. Brute-force attempts on the verify endpoint are audited and rate-limited.

AUDIT

Audit log on every mutation

Every ops mutation (secret rotation, install update, billing change) writes an OpsActivityEvent with the actor, timestamp, and diff. Client-side audit events propagate to ops via the bridge for forensic continuity.

BACKUPS

Tested restore runbook

Render takes daily backups of every Postgres. We rehearse restore on a sandbox install once per quarter. The runbook (DR-RUNBOOK.md) covers four failure scenarios end-to-end.

DATA HANDLING

Every byte has a paper trail.

We publish the same documents we use internally. Each link below is the live, dated source — not marketing-speak about a security review.

Record of Processing (ROPA)

Every table that holds personal data, what we collect, the legal basis, the retention window, and the deletion path. Living document.

Subprocessors

Every third party that processes data on our behalf — Render, Vercel, Anthropic, Resend, Email Bison, Instantly, CRM vendors.

Data Processing Agreement

Controller-to-processor commitments — subject matter, security measures, breach notification, transfers. Templated, signable.

Terms of Service

Install scope, acceptable use, vendor pass-through, liability, termination. The agreement that governs your use of ReplyArc.

COMPLIANCE POSTURE

What we hold today.

Frameworks below are tracked against a real document or audit. We don't paint badges we haven't earned.

FrameworkStatusDetail

GDPR (EU)CompliantROPA published. DSAR and right-to-erasure flows live in-product. Breach response procedure documented (72h notification window).

CCPA / CPRA (California)CompliantPrivacy notice mirrors GDPR's plain-English disclosures. Delete-my-data button is a single tap from /settings/privacy.

SOC 2 Type IOn enterprise demandFoundation in place — encryption at rest, RBAC, audit logs, deploy review process. Type I audit window opens the day a prospect signs an NDA.

SOC 2 Type IITarget Q4Type II requires a 6-month observation window. We start the clock when a paying enterprise commits.

HIPAANot in scopeReplyArc is built for B2B outbound, not regulated healthcare workflows. We do not process PHI.

GDPR liveSOC 2 Type I · on demandType II · 6-mo window starts on enterprise NDA

CONTACT · SECURITY

Found something? Tell us.

Coordinated disclosure welcome. We acknowledge inside one business day and patch critical issues within 72 hours. No bounty program yet — we send a written thank-you and credit on the disclosure log.

PRIMARY

security@replyarc.com

Encrypt with PGP if you can — public key on request. Otherwise plain email is fine; we do not request reproduction details over chat.

PRIVACY · GDPR

privacy@replyarc.com

Data subject access requests, controller-to-processor questions, DPA execution.

BREACH NOTIFICATION

GDPR Art. 33 — 72-hour notification window. Procedure documented internally as BREACH-RESPONSE-PROCEDURE.md. We notify named contacts before the public disclosure.

20 MIN · NO PITCH

Book the call.

Twenty minutes. We'll tell you, honestly, whether an install is the right call right now — or whether you should keep renting an agency for another quarter.

Book a call See install pricing