Built by security operators.
Defended like one.
After Action holds itself to the same standards we help our clients meet. This page documents every control we enforce, the frameworks we align to, and how to reach us if you find something we missed.
Platform controls
Every control listed is enforced in production today.
Encryption in transit & at rest
TLS 1.3 on every connection with HSTS preload. AES-256 at rest on all Postgres tables and Supabase Storage buckets. No plaintext secrets anywhere in the stack.
Row-level security on every table
All 42 database tables enforce row-level security policies. Users can only read data from organizations they belong to. The service-role key is never used in client-side code.
Hashed API keys
Carrier API keys are SHA-256 hashed before storage. We never see or store the plaintext. Rotation is self-service and takes effect immediately.
Authentication via Supabase
Email + password with bcrypt hashing, magic-link option, session cookies with HttpOnly + Secure + SameSite=Lax. Sessions auto-refresh via Next.js middleware; no exposed tokens.
Data residency you control
Pick your Supabase region at org creation — US, EU, APAC. We do not move data across regions. Backups are encrypted and retained for 30 days.
Immutable audit log
Every sensitive mutation (exercise edits, deliverable exports, certificate issuance) is written to an append-only audit_log table with actor, timestamp, and before/after snapshots.
Infrastructure hardening
CSP, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, strict CORS, Permissions-Policy disabling camera/mic/geolocation. Deployed on Vercel with automatic TLS.
Vulnerability management
Dependency scanning on every build, mandatory type-check + test gate before deploy, and Sentry error tracking in production. Reports acknowledged within 24 hours.
Compliance posture
What we've achieved, what's on the roadmap.
| Framework | Posture | State |
|---|---|---|
| SOC 2 Type II | Roadmap Q3 2026 | roadmap |
| NIST 800-61 rev 3 | Aligned | live |
| NIST CSF 2.0 | Mapping engine built-in | mapped |
| ISO 27001:2022 | Mapping engine built-in | mapped |
| HIPAA | BAA on Enterprise tier | live |
| PCI-DSS 4.0 | Mapping engine built-in | mapped |
| CIS Controls v8 | Mapping engine built-in | mapped |
| CMMC Level 2 | Mapping engine built-in | mapped |
Responsible disclosure
Found something? Tell us.
Email security@afteraction.dev with reproduction steps. We acknowledge every report within 24 hours and will keep you updated until it's resolved. We do not pursue legal action against good-faith researchers who follow this policy.
Security reports
security@afteraction.devPrivacy requests
privacy@afteraction.dev