Security & Trust

Built by security operators.
Defended like one.

After Action holds itself to the same standards we help our clients meet. This page documents every control we enforce, the frameworks we align to, and how to reach us if you find something we missed.

Platform controls

Every control listed is enforced in production today.

01

Encryption in transit & at rest

TLS 1.3 on every connection with HSTS preload. AES-256 at rest on all Postgres tables and Supabase Storage buckets. No plaintext secrets anywhere in the stack.

02

Row-level security on every table

Every database table enforces row-level security policies. Users can only read data from organizations they belong to. The service-role key is never used in client-side code.

03

Hashed API keys

Carrier API keys are SHA-256 hashed before storage. We never see or store the plaintext. Rotation is self-service and takes effect immediately.

04

Authentication via Supabase

Email + password with bcrypt hashing, magic-link option, session cookies with HttpOnly + Secure + SameSite=Lax. Sessions auto-refresh via Next.js middleware; no exposed tokens.

05

Data residency you control

Customer data is hosted on Supabase in the US and never moved across regions. Backups are encrypted at rest. EU/APAC hosting is on the roadmap for enterprise deployments.

06

Immutable audit log

Every sensitive mutation (exercise edits, deliverable exports, certificate issuance) is written to an append-only audit_log table with actor, timestamp, and before/after snapshots.

07

Infrastructure hardening

CSP, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, strict CORS, Permissions-Policy disabling camera/mic/geolocation. Deployed on Vercel with automatic TLS.

08

Vulnerability management

Mandatory type-check, lint, and full test gate before every deploy, plus Sentry error tracking in production. Security reports acknowledged within 24 hours.

Compliance posture

What we've achieved, what's on the roadmap.

FrameworkPostureState
SOC 2 Type IIRoadmap Q3 2026roadmap
NIST 800-61 rev 3Alignedlive
NIST CSF 2.0Mapping engine built-inmapped
ISO 27001:2022Mapping engine built-inmapped
HIPAAMapping engine built-inmapped
PCI-DSS 4.0Mapping engine built-inmapped
CIS Controls v8Mapping engine built-inmapped
CMMC Level 2Mapping engine built-inmapped
SSO (SAML / OIDC)Roadmap Q4 2026 — Enterprise tierroadmap
MFA (TOTP / WebAuthn)Roadmap Q3 2026roadmap

A signed Data Processing Agreement (DPA) is available on request — email privacy@afteraction.dev with your legal team's template or ask for ours.

Subprocessors

Every vendor that touches your data.

We list every subprocessor that processes customer data on our behalf, what they do, and where the data lives. Material changes are announced 30 days in advance via email to org owners.

VendorPurposeDataRegion
VercelHosting + edge CDNApplication HTTP traffic, logsUS (global edge)
SupabasePostgres + Auth + StorageAll customer dataUS
StripePayments + billingName, email, billing address; PCI handled by StripeUS
ResendTransactional emailRecipient email + email contentUS
Anthropicoptional — rule-based engine is defaultOptional AI coachingExercise prompts (only if org configures a key)US

Federal procurement

SDVOSB certified.

After Action, LLC is a certified Service-Disabled Veteran-Owned Small Business. Federal customers can engage us via SDVOSB set-aside contracts under FAR 19.14; civilian-agency customers can use the same mechanism via 13 CFR 125.

Status
SDVOSB Certified
Founder
Scott Alford — service-disabled veteran
Entity
After Action, LLC — California

Responsible disclosure

Found something? Tell us.

Email security@afteraction.dev with reproduction steps. We acknowledge every report within 24 hours and will keep you updated until it's resolved. We do not pursue legal action against good-faith researchers who follow this policy.

Customer breach notification: If After Action experiences a confirmed security incident affecting customer data, we notify affected org owners by email within 72 hours of confirmation, with what we know, what we're doing, and what you should do. We send the first update even when we don't yet have the full picture — clarity beats speed only after the first message lands.

Security reports

security@afteraction.dev

Privacy requests

privacy@afteraction.dev