Effective Date: November 19, 2025 • Last Updated: November 19, 2025

1. Overview

This policy describes the technical and organizational measures Rad Blue, Inc. ("Aurium," "we," "us") implements to protect customer data. Aurium provides AI-powered LinkedIn outreach and lead generation services, processing business contact information and conversation data on behalf of our customers.

2. Infrastructure & Hosting

2.1 Cloud Providers

Service Provider Compliance Region
Application Hosting Vercel SOC 2 Type II US (edge network)
Database Neon (PostgreSQL) SOC 2 Type II US
Authentication Clerk SOC 2 Type II US
Background Jobs Trigger.dev - US

All infrastructure providers maintain enterprise-grade security controls and undergo regular third-party audits.

2.2 Network Security

  • All traffic encrypted via TLS 1.3
  • Automatic HTTPS enforcement on all endpoints
  • DDoS protection via Vercel's edge network
  • No direct public access to database servers

3. Encryption

3.1 Data in Transit

  • Protocol: TLS 1.3 (minimum TLS 1.2)
  • Certificate Management: Automatic via Vercel
  • API Communications: All internal and external API calls use HTTPS

3.2 Data at Rest

  • Database: AES-256 encryption (Neon default)
  • Backups: Encrypted at rest
  • Secrets: Stored in Vercel environment variables and 1Password

3.3 Password Storage

  • Managed by Clerk
  • bcrypt hashing with unique salts
  • No plaintext password storage

4. Backup & Disaster Recovery

4.1 Backup Schedule

Type Frequency Retention
Automated Snapshots Daily at 00:00 UTC 14 days
Point-in-Time Recovery Continuous 14 days

4.2 Recovery Capabilities

  • Point-in-Time Recovery (PITR): Restore to any point within the last 14 days
  • Recovery Time Objective (RTO): < 4 hours
  • Recovery Point Objective (RPO): < 1 hour

4.3 Backup Location

Backups are stored in geographically separate locations from primary data, managed by Neon's infrastructure.

5. Secrets Management

  • Application Secrets: Vercel environment variables (encrypted)
  • Team Credentials: 1Password (SOC 2 compliant)
  • CI/CD Secrets: GitHub Secrets (encrypted)

5.2 Secret Handling Practices

  • No secrets in source code
  • Secrets rotated upon team member departure
  • Environment-specific secrets (development vs. production)

6. Monitoring & Logging

6.1 Application Monitoring

  • Error Tracking: Sentry (real-time alerts)
  • Analytics: PostHog (product analytics)
  • Uptime: Vercel status monitoring

6.2 Log Retention

  • Application logs: 30 days
  • Security events: 90 days
  • Audit logs: 1 year

6.3 Logged Events

  • Authentication attempts (success/failure)
  • Data access events
  • Configuration changes
  • API errors

7. Vulnerability Management

7.1 Dependency Security

  • Automated Scanning: Dependabot for dependency vulnerabilities
  • Update Policy: Security patches applied within 7 days of release
  • Critical Vulnerabilities: Addressed within 24-48 hours

7.2 Code Security

  • Code review required for all changes
  • Automated testing in CI/CD pipeline
  • Production deployments via Vercel (immutable deployments)

8. Compliance

  • Infrastructure providers are SOC 2 Type II certified
  • GDPR-compliant data handling practices
  • CCPA-compliant for California residents
  • Annual penetration testing program
  • Vulnerability disclosure program active

9. Contact

For security inquiries: security@aurium.ai