Security at Porchops.

We're currently going through SOC 2 readiness — a formal assessment of how we handle access control, encryption, vendor management, change management, and incident response. We engaged the readiness work in early 2026; Type II report is the target before the end of the calendar year.

Until the report lands, we're publishing every commit that improves our posture in the Porchops changelog. If you need an evidence package or a short security summary today, email hello@porchops.com and we'll send what's current.

Customer data is the most sensitive thing we hold. Stripe customer records, email content, internal customer-graph metadata. The threat model assumes a sophisticated attacker; the controls assume the worst day.

We design for the failure modes that matter: credential theft (least-privilege scopes, key rotation), supply chain (dependency pinning, minimal third-party JS), prompt injection (untrusted content is never executed without explicit founder approval thresholds), and data exfiltration (every outbound API call is auditable in the run log).

Customer data is encrypted at rest (AES-256) and in transit (TLS 1.3 minimum). It lives in US-region Postgres (Neon) with point-in-time recovery and per-row tenant isolation. Backups are encrypted and retained according to our published retention policy.

We never train AI models on your customer data. Our agreements with Anthropic and OpenAI include zero-retention clauses for content sent through the API, and our Privacy Policy commits to it contractually. If you can't find that commitment in our Privacy Policy, that's a bug — please tell us.

We never sell, share, or rent customer data. Subprocessors are listed publicly at /legal/sub-processors and we update that page when the list changes.

Email security@porchops.com. Include a description, reproduction steps, and any proof-of-concept you're comfortable sharing. We'll acknowledge within one business day and update you weekly until the issue is resolved.

We don't run a paid bug bounty program at this scale, but we will name responsible reporters in the changelog (with permission) and send a thank-you that's worth more than zero.

Do not perform testing that could affect customers other than yourself. Do not run automated scans that send more than a handful of requests per second. We try to act quickly; please give us a chance to do the same.

Our public subprocessor list is at /legal/sub-processors. The list covers cloud infrastructure (Vercel, Neon), email delivery (Resend), AI inference (Anthropic, OpenAI), rate limiting (Upstash), and analytics (Plausible). Each subprocessor's role is named, and the list is updated when it changes.

Any new subprocessor with material access to customer data goes on the list at least 30 days before activation, so customers with sensitivity can object before the change takes effect.

Status updates land at status.porchops.com — independent infrastructure, not hosted on the same platform we're operating. Inky narrates incidents in real time with timestamps and what's happening.

Customer-impacting incidents trigger an email within four hours of detection (often within minutes) with an honest summary of what happened, who was affected, and what we're doing about it. Post-mortems are published to the changelog with named action items and target dates.

We don't write incident communications to minimize liability. We write them so the next founder running a SaaS can read them and learn something.