Built by security operators.
Defended like one.
After Action holds itself to the same standards we help our clients meet. This page documents every control we enforce, the frameworks we align to, and how to reach us if you find something we missed.
Platform controls
Every control listed is enforced in production today.
Encryption in transit & at rest
TLS 1.3 on every connection with HSTS preload. AES-256 at rest on all Postgres tables and Supabase Storage buckets. No plaintext secrets anywhere in the stack.
Row-level security on every table
Every database table enforces row-level security policies. Users can only read data from organizations they belong to. The service-role key is never used in client-side code.
Hashed API keys
Carrier API keys are SHA-256 hashed before storage. We never see or store the plaintext. Rotation is self-service and takes effect immediately.
Authentication via Supabase
Email + password with bcrypt hashing, magic-link option, session cookies with HttpOnly + Secure + SameSite=Lax. Sessions auto-refresh via Next.js middleware; no exposed tokens.
Data residency you control
Customer data is hosted on Supabase in the US and never moved across regions. Backups are encrypted at rest. EU/APAC hosting is on the roadmap for enterprise deployments.
Immutable audit log
Every sensitive mutation (exercise edits, deliverable exports, certificate issuance) is written to an append-only audit_log table with actor, timestamp, and before/after snapshots.
Infrastructure hardening
CSP, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, strict CORS, Permissions-Policy disabling camera/mic/geolocation. Deployed on Vercel with automatic TLS.
Vulnerability management
Mandatory type-check, lint, and full test gate before every deploy, plus Sentry error tracking in production. Security reports acknowledged within 24 hours.
Compliance posture
What we've achieved, what's on the roadmap.
| Framework | Posture | State |
|---|---|---|
| SOC 2 Type II | Roadmap Q3 2026 | roadmap |
| NIST 800-61 rev 3 | Aligned | live |
| NIST CSF 2.0 | Mapping engine built-in | mapped |
| ISO 27001:2022 | Mapping engine built-in | mapped |
| HIPAA | Mapping engine built-in | mapped |
| PCI-DSS 4.0 | Mapping engine built-in | mapped |
| CIS Controls v8 | Mapping engine built-in | mapped |
| CMMC Level 2 | Mapping engine built-in | mapped |
| SSO (SAML / OIDC) | Roadmap Q4 2026 — Enterprise tier | roadmap |
| MFA (TOTP / WebAuthn) | Roadmap Q3 2026 | roadmap |
A signed Data Processing Agreement (DPA) is available on request — email privacy@afteraction.dev with your legal team's template or ask for ours.
Subprocessors
Every vendor that touches your data.
We list every subprocessor that processes customer data on our behalf, what they do, and where the data lives. Material changes are announced 30 days in advance via email to org owners.
| Vendor | Purpose | Data | Region |
|---|---|---|---|
| Vercel | Hosting + edge CDN | Application HTTP traffic, logs | US (global edge) |
| Supabase | Postgres + Auth + Storage | All customer data | US |
| Stripe | Payments + billing | Name, email, billing address; PCI handled by Stripe | US |
| Resend | Transactional email | Recipient email + email content | US |
| Anthropicoptional — rule-based engine is default | Optional AI coaching | Exercise prompts (only if org configures a key) | US |
Federal procurement
SDVOSB certified.
After Action, LLC is a certified Service-Disabled Veteran-Owned Small Business. Federal customers can engage us via SDVOSB set-aside contracts under FAR 19.14; civilian-agency customers can use the same mechanism via 13 CFR 125.
- Status
- SDVOSB Certified
- Founder
- Scott Alford — service-disabled veteran
- Entity
- After Action, LLC — California
- Federal POC
- federal@afteraction.dev
Responsible disclosure
Found something? Tell us.
Email security@afteraction.dev with reproduction steps. We acknowledge every report within 24 hours and will keep you updated until it's resolved. We do not pursue legal action against good-faith researchers who follow this policy.
Customer breach notification: If After Action experiences a confirmed security incident affecting customer data, we notify affected org owners by email within 72 hours of confirmation, with what we know, what we're doing, and what you should do. We send the first update even when we don't yet have the full picture — clarity beats speed only after the first message lands.
Security reports
security@afteraction.devPrivacy requests
privacy@afteraction.dev