Compliance & certifications

Our public website is built and tested against WCAG 2.1 AA success criteria. Accessibility violations are caught at the CI level using axe-core on every pull request - a page cannot merge if it introduces a detectable regression.

This website applies mitigations for the OWASP Top 10 web application risks: strict Content-Security-Policy headers, CSRF defense via Fetch Metadata and Origin validation, input validation via Zod schemas on all API routes, rate limiting on all public endpoints, no third-party script execution, and HTTPS with HSTS in production.

All production traffic is served over HTTPS with a Strict-Transport-Security header (max-age=63072000; includeSubDomains; preload). Insecure requests are automatically upgraded.

A strict Content-Security-Policy is enforced on all responses. It restricts script, style, font, image, and connection sources to explicitly approved origins. 'unsafe-eval' is never enabled in production.

All public POST endpoints (consultation booking, page feedback, newsletter subscription) enforce per-IP rate limits. Limits are shared across instances via Upstash Redis when available, with an in-process fallback for single-instance deployments.

We collect only the data required to fulfill each request. Consultation bookings capture name, email, timezone, and stated interest. Page feedback captures an anonymized session hash - never a persistent user identifier. No behavioral tracking cookies are set by default.

Personal data submitted through this website is processed in accordance with GDPR principles: lawful basis (legitimate interest / consent), data minimization, purpose limitation, and data subject rights. Our Supabase backend enforces Row-Level Security on all tables containing personal data. We do not sell or share personal data with third parties for advertising purposes.

This site does not set third-party tracking cookies. Analytics (Plausible) is cookieless and privacy-first, and is only enabled when configured. No retargeting pixels or social media tracking scripts are loaded.

We operate a responsible disclosure process for security vulnerabilities. If you discover a security issue affecting this site or our platform, please report it to [email protected]. We commit to acknowledging reports within two business days and providing a remediation timeline.

SOC 2 Type II certification is on our roadmap for the Bastion platform. Our current security practices - including hash-chained intent ledgers, mTLS certificate pinning, and Ed25519 directive signing - align with the Trust Service Criteria. Prospective partners may request our current security posture documentation directly.

For healthcare deployments involving protected health information (PHI), a HIPAA Business Associate Agreement will be available upon request. We are designing Bastion's data handling and audit capabilities to meet BAA requirements. Contact [email protected] for current status.

FedRAMP authorization is on our roadmap for regulated government deployments. We are aware of the requirements and designing Bastion's infrastructure to align with FedRAMP Moderate controls as a prerequisite for authorization.

ISO 27001 certification is on our roadmap. Our current security practices align with the ISO 27001 Annex A control set, and we intend to pursue formal certification as the platform matures.