Cuelist security

Reporting a vulnerability

Email security@cuelist.dev with a description, reproduction steps, and any screenshots or proof-of-concept. The machine-readable policy lives at /.well-known/security.txt per RFC 9116.

We acknowledge within two business days, work the issue in private, and credit you on disclosure unless you prefer anonymity. We do not yet run a paid bug-bounty programme; we hope to once revenue makes it possible.

What we do

• Encryption in transit. TLS 1.3 at the Cloudflare edge for every request. HSTS preload-ready.
• Encryption at rest. Cloudflare D1 (database) and R2 (object storage) encrypt at rest by default. Stripe holds card data; we never see PANs.
• Two-factor authentication. Available at every plan tier under /settings/security. TOTP + recovery codes; platform admins can reset on request.
• RBAC. Role-based access control at the org level, with project-scoped overrides and a custom delegated-admin role builder. Every permission decision writes an audit-log row.
• Audit logging. 13-month retention on Starter and Pro; 7-year retention on Enterprise. Logs roll over to object storage on a weekly cron and stay accessible via the admin surface.
• Content-Security-Policy + security headers. Reported violations land in our error-tracking dashboard. We tighten on signal.
• Tenant isolation. Every database query that touches org-scoped data is gated on org_id; an audit script ratchets the violation count downward release-over-release.

What we don't (yet)

• SOC 2 / ISO 27001. Not yet certified. On the roadmap once revenue underwrites the audit cost.
• SAML / SSO. Schema is in place; login integration ships when the first enterprise procurement request lands. Contact sales@cuelist.dev.
• DRM / watermarking on PDF export. Lightweight per-viewer watermarking is available; full DRM-grade enforcement is post-launch.

Subprocessors

Cloudflare (hosting, edge, D1, R2, email, web analytics), Stripe (billing), Sentry (error monitoring). The DPA at /legal/dpa lists each with purpose + region.