CIA Development, LLC is a small, owner-operated product studio. Our security model favors a deliberately small attack surface, modern defaults, and least-privilege access over complexity. We are not currently SOC 2 or ISO 27001 certified; the controls described here reflect what we actually do today. We're happy to complete security questionnaires and sign a mutual NDA — contact security@cia.dev.
Hosting & infrastructure
- Production runs on Google Cloud Platform (US region). We inherit Google's physical, environmental, and hardware security controls; Google maintains SOC 2, SOC 3, ISO 27001, and other certifications for its infrastructure.
- Servers run a current, hardened Ubuntu LTS with a minimal set of services.
- Network access is restricted at the cloud firewall to HTTP/HTTPS and SSH only. SSH is key-based only (Ed25519); password authentication is disabled.
- fail2ban guards against brute-force attempts against exposed services.
Encryption
- In transit: all traffic is served over TLS 1.2/1.3 with modern cipher suites and HSTS. Certificates are issued and auto-renewed via Let's Encrypt. HTTP is redirected to HTTPS.
- At rest: Google Cloud encrypts all data at rest by default (AES-256). Application secrets are held in the runtime environment, never in source code or version control.
Access control
- Production access is limited to the principal/owner on a least-privilege basis.
- Multi-factor authentication (MFA) is enforced on Google Cloud, GitHub, and email.
- Deploy automation uses read-only credentials (per-repository deploy keys).
Application & development security
- All code is version-controlled in GitHub (private repositories) and reviewed before it ships.
- Secrets are never committed to source control; they are injected as environment variables at runtime.
- Dependencies are monitored with GitHub Dependabot for known vulnerabilities.
- Web responses carry a strict security-header set: Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
- User-supplied input is validated and output-encoded; public forms are rate-limited.
Patching & vulnerability management
- Automatic security updates are applied to operating-system packages (unattended-upgrades).
- Automated external vulnerability scans run daily, with more thorough security reviews performed monthly.
- Dependency advisories are triaged and remediated promptly.
Monitoring & logging
- Server, access, and application logs are retained for investigation and troubleshooting.
- Availability is monitored continuously; we operate public status pages for our products.
Backups & resilience
- Nightly automated backups of site content and configuration are taken and retained on a rolling basis.
- Source code is independently recoverable from version control. Infrastructure is reproducible from configuration, enabling rapid rebuilds.
Endpoint security
- Workstations use full-disk encryption (FileVault) with automatic screen lock and are kept current with OS and security updates.
Incident response
If we identify a security incident, we investigate, contain, and remediate it as a priority. Where an incident affects data we process on a client's behalf, we commit to notifying the affected client without undue delay and within 72 hours of confirming the incident, along with the information needed to meet their own obligations.
Reporting a vulnerability
Found a security issue? Please see our Vulnerability Disclosure Policy or email security@cia.dev.