/ trust / security
security posture
tl;dr — this page describes technical and organisational controls for the whitelabel.dev product. it is not the legal vulnerability disclosure policy; for safe-harbour reporting and timelines see security & disclosure. reward-eligible research is covered under our bug bounty.
/01 authentication
access to customer workspaces is gated behind authenticated sessions. supported patterns include:
- multi-factor authentication (MFA) — enforced or encouraged per workspace policy where the identity stack supports second factors.
- single sign-on (SSO) — enterprise-style login via standards-based identity providers (for example OAuth 2 flows such as sign-in with Google).
- passwordless — where offered, passwordless or magic-link flows reduce credential theft surface; password-based accounts remain compatible where required.
/02 authorization
application permissions follow least-privilege defaults:
- row-level security (RLS) — tenant data in our primary database is scoped so queries respect workspace membership and role policies.
- audit log — security-sensitive actions produce structured events suitable for review during investigations and compliance inquiries (retention aligned with product settings and legal holds).
/03 data at rest
customer content and backups reside on infrastructure where encryption at rest is provided by the underlying cloud and database vendors (for example volume and object-store encryption managed by our hosting and data-plane providers).
/04 data in transit
browser and API traffic is served over TLS with modern cipher preferences. internal service calls that leave a trusted boundary use encrypted channels consistent with vendor best practices.
/05 backups & disaster recovery
database and object storage tiers maintain automated backups with point-in-time recovery options appropriate to the production tier. we test restore paths on a cadence that matches our SOC 2 control narrative. specific recovery time and recovery point objectives are summarised alongside contractual commitments in the service-level agreement.
/06 subprocessors
vendors that process personal data on our behalf are listed with roles, regions, and contract references in the public subprocessor register. material changes follow the notice pathway described there and in customer agreements.
/07 incident response
confirmed or suspected security incidents are owned by our security function with executive escalation. customers may report issues to security@whitelabel.dev; acknowledgement and triage timelines for coordinated vulnerability reports are published on security & disclosure. customer notification for data incidents follows the timelines and content requirements in our privacy notice and DPAs where applicable.
/08 penetration testing
we engage qualified third parties for application and infrastructure penetration tests on a recurring basis (at least annually, with ad-hoc tests after major architectural changes). executive summaries are available to customers under NDA; detailed findings feed our engineering backlog with severity-based SLAs.