Six practical promises
Production data sits in AWS eu-west-1 + eu-central-1. Neon Postgres in Frankfurt. CloudFront edge cache is global but caches only public marketing assets — never tenant payloads. No cross-Atlantic data flow.
Postgres + S3 + DynamoDB use the AWS-managed KMS keys by default. SSM SecureString for every secret. No app-level plaintext storage of API keys (SHA-256 hash + 16-char prefix index only).
ACM-managed certs, HSTS preload on all production hostnames, TLS 1.0/1.1 disabled at the edge. Internal Lambda → Aurora traffic over VPC + IAM auth, not the public internet.
Console: 8h JWT sessions with passwordless magic-link onboarding (no password storage at all). API: bearer tokens, prefix-indexed, SHA-256-hashed, scope-gated. Per-key rate limits + Stripe-metered audit.
When tenant traffic goes through L2c (intelligence layer) or L6 (decision agent), Anthropic prompt caching is used but the per-tenant token budget gates abuse. No tenant content is sent to OpenAI / Google / any other provider. We don't sell or share tenant payloads.
Every scoring call is recorded in scoring_audit_log with raw weather samples + provider chain + the response that was returned. Tenants can export their own audit log on demand. Retention is 1 year by default, extendable under DPA.
What we have, what's in progress
We won't pretend to certifications we don't hold. Below is the honest list. If you're an enterprise prospect with a security questionnaire that asks for the SOC2 Type II report, the answer today is "in progress, see the post-launch plan." If you need the questionnaire answered formally, the partnerships desk is the path.
Full compliance. Pseudonym-based user-data deletion (L6 Tier 1 right to erasure), tenant-scoped DPA available on signature, EU-resident DPO once we cross the headcount threshold (currently <50).
Standard form available at /legal/data-processing-agreement (CC BY 4.0 base, signed addendum on request). Sub-processor list is public; new sub-processors are notified 30 days before activation.
Type I in scope for the post-launch quarter. We will not claim Type II until the audit completes — currently in the policies-drafted phase. Honest signal: NOT certified today.
Tracked but not in active certification. Most controls are de facto met (the engineering practices map closely) but we won't ship a logo until audited.
The engineering reality
Every secret (Stripe, Anthropic, Resend, DB URL, session keys) is an AWS SSM SecureString. IAM roles + scoped ssm:GetParameter on a path prefix. No .envfiles in source control; .envrcfor local dev only and gitignored.
pnpm-lock pinned + Dependabot watching. Critical CVE alerts gate prod deploys. The vendor list is short on purpose — Hono + Drizzle + radix-ui + lucide are the load-bearing libraries.
AWS Identity Center (SSO) only, TOTP-mandatory. Root account credentials sealed (1Password emergency container). Production access logs go to CloudTrail; ops session activity to scoring_audit_log.
Slack #incidents channel for triage; status updates land on the public status strip within 5 minutes of detection. Post-mortems published openly for any incident affecting tenant traffic.
Found something?
Responsible disclosure: email security@goable.io with the details. We acknowledge within one working day, triage within five, and publish a CVE (with credit, unless you prefer otherwise) for anything that warrants one. No bounty programme yet — we're pre-launch — but we'll send merch + name credit and a real founder reply.
Questionnaires & SIG
If you need a formal security questionnaire (SIG Lite, CAIQ, custom vendor questionnaire), the partnerships desk routes it to the founder + the senior engineer who built whatever piece of the system the question is about. We try to turn it around in five working days.