Security at Dilly Labs
How we protect your data and your members' data.
Infrastructure
Cloud-native hosting
Hosted on AWS (us-west-2, Oregon) via Supabase and Vercel. No on-premise infrastructure.
Encryption everywhere
AES-256 encryption at rest on all storage volumes and backups. TLS 1.2+ enforced on all connections in transit.
Automated backups
Daily automated database backups with point-in-time recovery. Stored in a separate AWS availability zone.
Authentication & access control
Enterprise SSO
Microsoft Entra ID federation (OIDC/OAuth 2.0) for partner deployments, included at no additional cost. No separate account creation required for members.
Tenant isolation
Row-Level Security policies enforced at the database layer. Every query is scoped to the authenticated organization — cross-tenant data access is architecturally prevented.
CSRF protection
Double-submit token pattern with server-side validation on all state-changing operations.
Session security
Configurable session timeouts, brute-force protection, and rate limiting at the authentication layer.
Application security
Secure by default
React with TypeScript. Parameterized queries via Supabase SDK prevent SQL injection. React's built-in escaping prevents XSS.
Security headers
Content-Security-Policy, Strict-Transport-Security, X-Frame-Options (DENY), X-Content-Type-Options, and Referrer-Policy headers enforced in production.
Input sanitization
All user-facing forms sanitized with DOMPurify. PII automatically redacted from application logs.
Dependency monitoring
GitHub Dependabot scans dependencies weekly. Security patches rated medium or higher are applied within the regular release cycle.
Compliance & testing
SOC 2 Type II is on our roadmap for 2026. We do not hold SOC 2 or ISO 27001 certification today.
External penetration testing is planned for Q3 2026 as part of SOC 2 readiness.
MVSP self-assessment — we perform annual self-assessments using the Minimum Viable Secure Product framework. Available to partners on request.
Vulnerability patching — critical and actively exploited vulnerabilities are patched within 48 hours. High-severity within 30 days. All material vulnerabilities within 90 days.
Report a vulnerability
If you discover a security vulnerability, please report it to security@dillylabs.com. We triage all reports within 48 hours and will work with you to understand and resolve the issue. We ask that you give us reasonable time to address vulnerabilities before public disclosure.
Sub-processors
Third-party services that process or store customer data on behalf of Dilly Labs.
| Provider | Purpose |
|---|---|
| Supabase | Database, authentication, edge compute |
| Vercel | Application hosting, CDN, edge network |
| AWS | Underlying cloud infrastructure (via Supabase) |
| Resend | Transactional email delivery |
Complete sub-processor list available on request. Reviewed annually for security posture.