Trust

Security & Incident Response

Last updated: April 26, 2026

Encryption
AES-256 at rest, TLS 1.2+ in transit. Keys managed by Google Cloud KMS.
Access control
Role-based on the customer side. Least-privilege + MFA for our staff.
Hosting
Firebase (SOC 2 Type II, ISO 27001) and Vercel. Multi-region, automated daily backups.
Monitoring
Auth, webhook and cron logs are retained for security audit and anomaly detection.

Our Security Program

Notify Beforehand is built on managed, audited cloud infrastructure (Google Firebase and Vercel) and applies a layered set of controls on top — least-privilege access, MFA-protected admin accounts, dependency scanning, and monitoring of authentication, billing, and reminder pipelines.

We don't claim certifications we haven't earned. We inherit SOC 2 Type II and ISO 27001 from Google Cloud / Firebase for the underlying platform. SOC 2 for Notify Beforehand itself is on the roadmap; this page will be updated when audit results are available.

Data Protection

  • Encryption at rest: AES-256 for Firestore and Firebase Storage; backups inherit the same encryption.
  • Encryption in transit: TLS 1.2+ for every request. HSTS is enabled across the application.
  • Secrets: API keys and Paddle webhook secrets are stored as Vercel environment variables, not in source control. Rotation is documented and re-keyed annually or on personnel change.
  • Backups: Daily automated Firestore backups with point-in-time recovery. Backup integrity is verified quarterly.

Application Security

  • Firestore and Storage security rules enforce per-user document ownership at the database layer — not just in application code.
  • Server-side endpoints validate JWTs from Firebase Auth before any read or write, with the reminder webhook gated by a shared secret.
  • Paddle webhooks are verified using the official signature header; events are deduplicated using a processedWebhooks ledger to prevent replay.
  • Email content is HTML-escaped before rendering into reminder templates, eliminating an injection vector for downstream mail clients.
  • Passwords have a 10-character minimum and are never stored by us — Firebase Auth manages the credential vault.

Vulnerability & Patch Management

  • Automated dependency scanning runs on every change. High/critical vulnerabilities are patched within 7 days.
  • The application platform (Next.js, Node runtime) is upgraded on a regular cadence.
  • Coordinated disclosure is welcomed at security@notifybeforehand.com. Please give us 90 days to remediate before public disclosure.

Incident Response Plan

We follow a five-phase plan adapted from NIST SP 800-61. Customer notifications happen at the boundary between containment and eradication, never later than 72 hours after confirmed compromise.

1
Detection
Triggered by automated monitoring (auth anomalies, error spikes, webhook signature failures), customer reports, or third-party advisories. The on-call engineer confirms the alert within one hour and opens an incident ticket.
2
Containment
Severity is classified (SEV-1 through SEV-3). For SEV-1/2 we revoke compromised credentials, isolate affected components, and freeze deploys. The goal is to stop the bleeding before investigating root cause.
3
Notification
Customer-facing communication begins as soon as we have a reliable picture of impact. For confirmed Personal Data Breaches we notify affected Customers within 72 hours via email to the billing contact on file, with a description of the nature of the breach, data categories involved, likely consequences, and mitigations underway. We post live status at the same time so customers can see updates without waiting for the next email.
4
Eradication & Recovery
Root cause is fixed (patch, config change, credential rotation, code revert). Service is restored from backups if needed. We verify integrity by re-running automated checks and customer-facing health probes before declaring the incident closed.
5
Post-Incident Review
Within 14 days of resolution we publish an internal post-mortem with timeline, contributing factors, and a list of corrective actions with owners and due dates. A redacted summary is shared on request with affected customers.

How to Reach Us