← Trust & Compliance
InfoSec Checklist
Common security and compliance questions mapped to our documentation and actual behavior. Use this for vendor questionnaires and security reviews.
| Question | Answer | Reference / Where to look |
|---|---|---|
| Encryption at rest? | Yes | Supabase AES-256 disk encryption; API keys hashed (SHA-256). → |
| Encryption in transit? | Yes | TLS 1.3 (HTTPS) for all API and webhook traffic. → |
| Client-side / E2E encryption? | Partial | Optional LETSPING_ENCRYPTION_KEY; we never see plaintext when enabled. → |
| Audit logs? | Yes | Structured audit logs; configurable retention (14d Free, 60d Pro); export by project/date. → |
| PII in logs? | Partial | Firewall block events redact email/SSN-like patterns; we recommend you avoid PII in payloads. → |
| Access control / tenant isolation? | Yes | All data scoped by project and org; no cross-tenant access. → |
| Authentication (dashboard)? | Yes | Supabase Auth (email, GitHub, Google); MFA where supported. → |
| API key storage? | Yes | Keys hashed before storage; we never store or display plaintext. → |
| Webhook signing? | Yes | HMAC-SHA256 with timestamp; 5-min replay window. → |
| Data residency / location? | Yes | Data processed and stored in the United States. → |
| Subprocessor list? | Yes | Upstash, Supabase, Vercel, Stripe; full table in Privacy. → |
| DPA available? | Yes | Template at /legal/dpa; signed DPA via legal@letsping.co. → |
| No AI training on customer data? | Yes | We do not train or fine-tune on your data; no generative use of payloads. → |
| Rate limiting? | Yes | Per-key token buckets (ingest, agent APIs); fail-closed for agent signup when Redis down. → |
| Idempotency? | Yes | Idempotency keys supported on ingest and handoff-outcome (24h in Redis). → |
| Threat model / OWASP coverage? | Partial | Documented in Infosec guide; tenant isolation, crypto, injection guardrail. → |
For more detail: Trust & Compliance, Security, Privacy, Trust anchor (architecture).