Security is foundational. We don't treat it as a marketing checkbox - the architecture is intentionally simple to keep the attack surface small.
Hosting
- Application: Vercel (EU primary region, US CDN edge).
- Database: self-hosted PostgreSQL on Oracle Cloud Infrastructure (UK region). Self-hosting gives us full control of access, backups, and tuning.
- Jobs: Trigger.dev (EU region) for scheduled tasks that exceed Vercel cron limits.
Encryption
- TLS 1.2 or higher for all traffic. HSTS enabled.
- Database disks encrypted at rest.
- OAuth tokens (eBay, etc) encrypted at rest using application-level encryption.
- Passwords are never stored in plaintext - handled by Clerk with bcrypt-equivalent hashing.
Access controls
- SSH access to production hosts is key-only; root password login is disabled.
- fail2ban active on production hosts.
- Per-tenant data isolation enforced at the application layer; every protected route checks ownership before reading or writing.
- Multi-factor auth available on user accounts via Clerk.
Monitoring and incident response
- Sentry captures every unhandled error with a request ID threaded through.
- Structured logs land in our log pipeline; warnings and errors forward to Sentry.
- Activity audit trail records every meaningful user action.
- Daily security patches applied via dnf-automatic on production hosts.
Backups
Database backups run nightly with WAL archiving for point-in-time recovery. Backup retention: 30 days. We test restore quarterly because untested backups don't exist.
SOC 2 / ISO 27001
We are not currently certified. We follow many of the practical controls (access review, encryption, change management, vendor risk) but a formal audit is on the roadmap, not done.
Reporting a vulnerability
Email security@deltapp.comwith details and a reproduction. We respond within 48 hours. We don't run a bug bounty programme yet but we're grateful for responsible disclosure and credit researchers in our changelog.