Security
Your court-bound documents include things courts subpoena: full name, address, account numbers, statutory damages claimed. We tell you exactly how those are protected — and what we use, what our providers use, and which third-party certifications you can independently verify.
Encryption
Every claim below maps to specific code paths in our application. We're happy to walk through them with security researchers or compliance reviewers on request.
Sensitive identifiers (full name, address, SSN-last-4, account numbers, dispute narratives) are encrypted with AES-256-GCM before they touch the database. Encryption keys are stored separately from data, rotated on a documented schedule, and never logged.
Active key version: PII_KEY_V1 · pseudonym secret separate
All client-to-server, server-to-database, and webhook traffic runs over TLS 1.3 with modern cipher suites. HSTS preload prevents protocol downgrade. We do not log decrypted PII at any layer.
Enforced via HSTS + Vercel edge
Every Stripe and Denefits webhook is verified against its HMAC signature before processing. Replay-protected via timestamp tolerance. Failed verifications are logged and rejected at HTTP 400 — never silently accepted.
Stripe SDK constructEvent · Denefits SHA-256 HMAC
Supabase RLS policies enforce that you can only read and write your own cases, letters, and documents. Policies are defined in migrations (version-controlled) and audited for every new table.
Postgres RLS · enforced at the database, not the app
Infrastructure
Instead, here's the audited posture of every service provider in our critical path. You can verify each one independently from the linked report.
SOC 2 Type II certified · ISO 27001 · GDPR-aware DPA. Production traffic terminates at Vercel's edge with their security posture inherited.
Verify Vercel securitySOC 2 Type II certified · HIPAA available on enterprise tier. Postgres backups (point-in-time recovery), JWT-based auth with refresh-token rotation.
Verify Supabase securityPCI DSS Level 1 certified. We never see or store raw card numbers — Stripe Elements tokenizes card data in the browser; only Stripe customer / payment-method IDs hit our servers.
Verify Stripe securitySOC 2 Type II certified mail and print provider. Letter contents sent over TLS, printed and dropped into the USPS chain of custody.
Verify Lob securityNote: 28Solutio itself is not SOC 2, ISO 27001, GDPR, CCPA, or HIPAA audited. We inherit posture from our providers and operate under the rights-and-obligations frameworks below. If your organization requires direct certifications beyond inherited posture, we can scope a paid security review.
Your data rights
We don't gate data rights by your zip code. Whether you're a California resident, an EU citizen, or in Wyoming — these are yours by default.
You can download a JSON export of every record we hold about you (cases, letters, documents, billing history). We honor this for any user, regardless of jurisdiction — not only CCPA / GDPR residents.
You can delete your account and all associated PII at any time from Settings. Deletion is propagated to backups within 30 days. Some legal records (sent letters, court filings) are retained per statutory retention requirements — we tell you which.
You can correct or update any data in your profile, intake, or case records. We don't lock historical data — every record has an editable trail.
We do not sell, rent, or share your data with third parties for advertising, scoring, or analytics. Service providers above (Vercel, Supabase, Stripe, Lob) process data only as required to deliver the platform.
To exercise any right, email privacy@28solutio.com or use the in-app data-rights tools at /settings/privacy. We respond within 30 days; complex deletion-propagation requests may take up to 45.
Practices
These are not aspirational. Each line below maps to a specific code path, vendor relationship, or scheduled job.
Responsible disclosure
We don't run a paid bug bounty yet, but we take responsible-disclosure reports seriously and will credit researchers in our public security log on request. Please give us a reasonable disclosure window before publishing.