Security
How we protect your data and the controls we have in place.
At a glance
TLS everywhere
HTTPS-only with HSTS preload. Connections from the app to Postgres, Stripe, Resend, and Seam all use TLS 1.2+.
Strong auth
bcrypt-hashed passwords, optional TOTP-based 2FA with single-use backup codes, signed iron-session cookies (httpOnly, SameSite=Lax, Secure).
Tenant isolation
Every row in our schema carries an
orgId. All queries scope to the caller's active org. Cross-tenant access is impossible through normal application paths.Defense in depth
HTTP security headers (HSTS, X-Frame-Options DENY, CSP, Referrer-Policy, Permissions-Policy), DB-backed rate limiting on login + the public API, signed Stripe + Seam webhooks, structured logging with optional Sentry forwarding.
Compliance posture
SOC 2 Type II
Roadmap — Q3 2026
GDPR
DPA available on request
CCPA
Honored
HIPAA
Not currently certified
We're happy to share our internal control documentation with prospective customers under NDA. Reach out to security@locksteve.com.
Subprocessors
We share customer data only with the third parties strictly necessary to run the service. Each is bound by a Data Processing Agreement.
| Vendor | Purpose | Location | DPA |
|---|---|---|---|
| Vercel | Application hosting (Next.js runtime) | US (default region iad1) | Link |
| Neon | Managed Postgres database | US-East | Link |
| Stripe | Billing & payments | US / EU (PCI Level 1) | Link |
| Resend | Transactional email delivery | US | Link |
| Seam | Universal lock-vendor API | US | Link |
| GitHub | Source-code hosting + CI runner | US | Link |
Material changes to this list will be announced via email at least 30 days before the new subprocessor handles any customer data.
Report a vulnerability
If you believe you've found a security issue in LockSteve, please email security@locksteve.com. We respond within one business day and don't pursue legal action against good-faith research.
Please do not run automated scans against production. The rate limiter will block you, and we'd rather discuss the testing plan first.
Questions about a specific control or a security questionnaire? Talk to sales.