Infrastructure Security

Our platform is built on enterprise-grade infrastructure designed to protect your sensitive financial services data:

Cloud Hosting: Hosted on Supabase and Vercel with SOC 2 Type II compliance
Data Centers: Geographically distributed with redundancy and failover
Network Security: Enterprise firewalls, DDoS protection, and intrusion detection
Monitoring: 24/7 automated monitoring and alerting systems

Data Encryption

All data is encrypted both in transit and at rest:

In Transit: TLS 1.3 encryption for all data transmission
At Rest: AES-256 encryption for stored data
Passwords: Bcrypt hashing with salt for user credentials
Backups: Encrypted daily backups with point-in-time recovery

Access Controls

We implement strict access controls to ensure only authorized users can access your data:

Authentication: Secure email/password authentication with session management
Multi-Factor Authentication (MFA): Optional email-based verification codes for additional security
Device Recognition: We track trusted devices and alert you when new devices access your account
Team Isolation: Row-level security ensures teams can only access their own data
Role-Based Access: Granular permissions for admins, managers, and members
Approval Workflow: New team members require admin approval before accessing data
Audit Logs: Comprehensive logging of user activities and data changes

Application Security

Our application is built with security best practices:

Secure Development: Code reviews and security testing in development lifecycle
Input Sanitization: All search queries and user inputs are sanitized to prevent injection attacks
CSRF Protection: Cross-site request forgery protection on all forms
XSS Prevention: Content security policies, CSS injection protection, and HTML encoding
Dependency Scanning: Regular scanning for vulnerabilities in third-party packages
Rate Limiting: Database-backed rate limiting that persists across deployments
File Upload Validation: Strict file size and type validation on all uploads
Atomic Transactions: Critical operations use database transactions to prevent partial failures

Security Headers

We implement industry-standard security headers to protect against common web vulnerabilities:

X-Frame-Options	Prevents clickjacking attacks
X-Content-Type-Options	Prevents MIME type sniffing
X-XSS-Protection	Browser XSS filtering
Referrer-Policy	Controls referrer information
Permissions-Policy	Restricts browser features
Content-Security-Policy	Controls resource loading

AI & Data Privacy

For features that use AI (like contact import), we ensure your data remains private:

🤖

Powered by Claude (Anthropic)

We use Claude by Anthropic, an AI assistant designed with safety and privacy as core principles. Anthropic maintains enterprise-grade data handling agreements and does not use API data for model training.

No Training: Your data is never used to train AI models
API-Only: AI features use secure API calls with enterprise privacy agreements
Data Minimization: Only necessary data is sent for AI processing
No Retention: AI providers do not retain your data after processing
Anthropic Privacy: View Anthropic's privacy practices at privacy.anthropic.com

Input Sanitization & XSS Prevention

All user input fields are protected against cross-site scripting (XSS) and injection attacks:

Protected Input Fields

Notes & Sticky Notes

Quick Links (URL validated)

Tasks & Descriptions

Contact Notes

Activity Logs

Email Invitations

React Auto-Escaping: All text content is automatically escaped by React
URL Validation: Links are sanitized to only allow http/https protocols
Protocol Blocking: javascript:, data:, and vbscript: URLs are blocked
HTML Escaping: Special characters in emails are escaped to prevent injection
Length Limits: Text fields have maximum length limits to prevent abuse

Webhook & Integration Security

Third-party integrations are secured with industry-standard verification:

HMAC Signature Verification: All webhooks (Stripe, Telegram, Easify) verify cryptographic signatures
Constant-Time Comparison: Secret comparisons use timing-safe algorithms to prevent timing attacks
Replay Attack Prevention: Webhooks include timestamp validation (5-minute window)
OAuth 2.0: Google, Microsoft, Zoom integrations use OAuth with PKCE and state validation
Token Encryption: OAuth tokens encrypted at rest with AES-256-GCM
Cron Job Authentication: Scheduled jobs require cryptographically-verified authorization

QR Code Security

QR code generation includes input validation and escaping to prevent injection attacks:

vCard Escaping: Contact card data properly escaped per RFC 6350
WiFi QR Escaping: Network credentials escaped to prevent configuration injection
Calendar Escaping: iCalendar events escaped per RFC 5545
URL Validation: External links validated to only allow HTTP/HTTPS protocols
Phone Validation: Phone numbers validated for E.164 format compliance

Client Portal Security

Our Client Portal allows agents to share task updates with clients securely. The portal is protected with multiple layers of security:

Portal Access Protection

Unique Magic Links: Each client receives a cryptographically random 16-character URL token
PIN Verification: 6-digit PIN required to access portal, hashed with bcrypt (10 rounds)
JWT Sessions: Sessions use signed JWT tokens (HS256) instead of plain encoding
Session Expiration: Portal sessions automatically expire after 24 hours
Token Expiration: Portal links can be set to expire (1 day to 1 year, or never)

Brute Force Protection

PIN Rate Limiting: Maximum 5 PIN attempts per token, 10 per IP address per 15 minutes
Lookup Rate Limiting: Maximum 30 token lookups per IP per 15 minutes to prevent enumeration
Database-Backed: Rate limits persist across deployments and server restarts

Request Security

Token Validation: Every request validates the portal token still exists and hasn't expired
CSRF Protection: Double-submit cookie pattern protects POST requests
Secure Cookies: HttpOnly, Secure, SameSite cookies prevent XSS and CSRF attacks
Instant Revocation: Agents can revoke portal access at any time, invalidating all sessions

Compliance

We maintain compliance with industry standards and regulations:

Infrastructure

• SOC 2 Type II (via Supabase)
• ISO 27001 aligned practices
• GDPR ready

Client Data Protection

• PII data protection
• Secure client data handling
• Audit trail capabilities

Your Data, Your Control

You have full control over your data at all times:

Data Export: Export all your contacts, policies, and records as CSV files anytime
Account Deletion: You can permanently delete your account and all associated data from your settings. No hoops to jump through
Immediate Effect: When you delete your account, all your data is permanently removed. There is no undo.

Important: Export your data before deleting your account. Once deleted, your data cannot be recovered.

Incident Response

In the event of a security incident:

Immediate containment and investigation procedures
Notification to affected users within 72 hours
Detailed incident reports and remediation plans
Post-incident review and security improvements

Security Best Practices for Users

Help us keep your data secure by following these recommendations:

Use a strong, unique password for your account
Never share your login credentials with others
Log out when using shared or public computers
Report any suspicious activity immediately
Keep your browser and devices updated

Request Security Documentation

Enterprise customers and security teams can request detailed documentation for their vendor assessment and due diligence reviews:

Available Upon Request

SOC 2 Type II Report (via Supabase)
Security architecture overview
Data processing agreements (DPA)
Vendor security questionnaire responses

Request Documentation

Report a Vulnerability

We appreciate responsible disclosure of security vulnerabilities. If you discover a security issue, please contact us:

Security Team

Email: hello@wsbroundtable.com

Please include detailed steps to reproduce the issue. We will respond within 48 hours.

Infrastructure Security

Our platform is built on enterprise-grade infrastructure designed to protect your sensitive financial services data:

Cloud Hosting: Hosted on Supabase and Vercel with SOC 2 Type II compliance
Data Centers: Geographically distributed with redundancy and failover
Network Security: Enterprise firewalls, DDoS protection, and intrusion detection
Monitoring: 24/7 automated monitoring and alerting systems

Data Encryption

All data is encrypted both in transit and at rest:

In Transit: TLS 1.3 encryption for all data transmission
At Rest: AES-256 encryption for stored data
Passwords: Bcrypt hashing with salt for user credentials
Backups: Encrypted daily backups with point-in-time recovery

Access Controls

We implement strict access controls to ensure only authorized users can access your data:

Authentication: Secure email/password authentication with session management
Multi-Factor Authentication (MFA): Optional email-based verification codes for additional security
Device Recognition: We track trusted devices and alert you when new devices access your account
Team Isolation: Row-level security ensures teams can only access their own data
Role-Based Access: Granular permissions for admins, managers, and members
Approval Workflow: New team members require admin approval before accessing data
Audit Logs: Comprehensive logging of user activities and data changes

Application Security

Our application is built with security best practices:

Secure Development: Code reviews and security testing in development lifecycle
Input Sanitization: All search queries and user inputs are sanitized to prevent injection attacks
CSRF Protection: Cross-site request forgery protection on all forms
XSS Prevention: Content security policies, CSS injection protection, and HTML encoding
Dependency Scanning: Regular scanning for vulnerabilities in third-party packages
Rate Limiting: Database-backed rate limiting that persists across deployments
File Upload Validation: Strict file size and type validation on all uploads
Atomic Transactions: Critical operations use database transactions to prevent partial failures

Security Headers

We implement industry-standard security headers to protect against common web vulnerabilities:

X-Frame-Options	Prevents clickjacking attacks
X-Content-Type-Options	Prevents MIME type sniffing
X-XSS-Protection	Browser XSS filtering
Referrer-Policy	Controls referrer information
Permissions-Policy	Restricts browser features
Content-Security-Policy	Controls resource loading

AI & Data Privacy

For features that use AI (like contact import), we ensure your data remains private:

🤖

Powered by Claude (Anthropic)

No Training: Your data is never used to train AI models
API-Only: AI features use secure API calls with enterprise privacy agreements
Data Minimization: Only necessary data is sent for AI processing
No Retention: AI providers do not retain your data after processing
Anthropic Privacy: View Anthropic's privacy practices at privacy.anthropic.com

Input Sanitization & XSS Prevention

All user input fields are protected against cross-site scripting (XSS) and injection attacks:

Protected Input Fields

Notes & Sticky Notes

Quick Links (URL validated)

Tasks & Descriptions

Contact Notes

Activity Logs

Email Invitations

React Auto-Escaping: All text content is automatically escaped by React
URL Validation: Links are sanitized to only allow http/https protocols
Protocol Blocking: javascript:, data:, and vbscript: URLs are blocked
HTML Escaping: Special characters in emails are escaped to prevent injection
Length Limits: Text fields have maximum length limits to prevent abuse

Webhook & Integration Security

Third-party integrations are secured with industry-standard verification:

HMAC Signature Verification: All webhooks (Stripe, Telegram, Easify) verify cryptographic signatures
Constant-Time Comparison: Secret comparisons use timing-safe algorithms to prevent timing attacks
Replay Attack Prevention: Webhooks include timestamp validation (5-minute window)
OAuth 2.0: Google, Microsoft, Zoom integrations use OAuth with PKCE and state validation
Token Encryption: OAuth tokens encrypted at rest with AES-256-GCM
Cron Job Authentication: Scheduled jobs require cryptographically-verified authorization

QR Code Security

QR code generation includes input validation and escaping to prevent injection attacks:

vCard Escaping: Contact card data properly escaped per RFC 6350
WiFi QR Escaping: Network credentials escaped to prevent configuration injection
Calendar Escaping: iCalendar events escaped per RFC 5545
URL Validation: External links validated to only allow HTTP/HTTPS protocols
Phone Validation: Phone numbers validated for E.164 format compliance

Client Portal Security

Our Client Portal allows agents to share task updates with clients securely. The portal is protected with multiple layers of security:

Portal Access Protection

Unique Magic Links: Each client receives a cryptographically random 16-character URL token
PIN Verification: 6-digit PIN required to access portal, hashed with bcrypt (10 rounds)
JWT Sessions: Sessions use signed JWT tokens (HS256) instead of plain encoding
Session Expiration: Portal sessions automatically expire after 24 hours
Token Expiration: Portal links can be set to expire (1 day to 1 year, or never)

Brute Force Protection

PIN Rate Limiting: Maximum 5 PIN attempts per token, 10 per IP address per 15 minutes
Lookup Rate Limiting: Maximum 30 token lookups per IP per 15 minutes to prevent enumeration
Database-Backed: Rate limits persist across deployments and server restarts

Request Security

Token Validation: Every request validates the portal token still exists and hasn't expired
CSRF Protection: Double-submit cookie pattern protects POST requests
Secure Cookies: HttpOnly, Secure, SameSite cookies prevent XSS and CSRF attacks
Instant Revocation: Agents can revoke portal access at any time, invalidating all sessions

Compliance

We maintain compliance with industry standards and regulations:

Infrastructure

• SOC 2 Type II (via Supabase)
• ISO 27001 aligned practices
• GDPR ready

Client Data Protection

• PII data protection
• Secure client data handling
• Audit trail capabilities

Your Data, Your Control

You have full control over your data at all times:

Data Export: Export all your contacts, policies, and records as CSV files anytime
Account Deletion: You can permanently delete your account and all associated data from your settings. No hoops to jump through
Immediate Effect: When you delete your account, all your data is permanently removed. There is no undo.

Important: Export your data before deleting your account. Once deleted, your data cannot be recovered.

Incident Response

In the event of a security incident:

Immediate containment and investigation procedures
Notification to affected users within 72 hours
Detailed incident reports and remediation plans
Post-incident review and security improvements

Security Best Practices for Users

Help us keep your data secure by following these recommendations:

Use a strong, unique password for your account
Never share your login credentials with others
Log out when using shared or public computers
Report any suspicious activity immediately
Keep your browser and devices updated

Request Security Documentation

Enterprise customers and security teams can request detailed documentation for their vendor assessment and due diligence reviews:

Available Upon Request

SOC 2 Type II Report (via Supabase)
Security architecture overview
Data processing agreements (DPA)
Vendor security questionnaire responses

Request Documentation

Report a Vulnerability

We appreciate responsible disclosure of security vulnerabilities. If you discover a security issue, please contact us:

Security Team

Email: hello@wsbroundtable.com

Please include detailed steps to reproduce the issue. We will respond within 48 hours.

Security

Regularly Audited & Verified

Encrypted

Protected

Controlled

Infrastructure Security

Data Encryption

Access Controls

Application Security

Security Headers

AI & Data Privacy

Powered by Claude (Anthropic)

Input Sanitization & XSS Prevention

Protected Input Fields

Webhook & Integration Security

QR Code Security

Client Portal Security

Portal Access Protection

Brute Force Protection

Request Security

Compliance

Infrastructure

Client Data Protection

Your Data, Your Control

Incident Response

Security Best Practices for Users

Request Security Documentation

Available Upon Request

Report a Vulnerability

Security

Regularly Audited & Verified

Encrypted

Protected

Controlled

Infrastructure Security

Data Encryption

Access Controls

Application Security

Security Headers

AI & Data Privacy

Powered by Claude (Anthropic)

Input Sanitization & XSS Prevention

Protected Input Fields

Webhook & Integration Security

QR Code Security

Client Portal Security

Portal Access Protection

Brute Force Protection

Request Security

Compliance

Infrastructure

Client Data Protection

Your Data, Your Control

Incident Response

Security Best Practices for Users

Request Security Documentation

Available Upon Request

Report a Vulnerability