Security
Security at Minnow
We’re working toward SOC 2 Type 1 certification, targeted for Q1 2027. Here’s what we do today, and what’s next.
What we do today
- Encrypted in transit via TLS (HTTPS everywhere, HTTP/3 via Vercel's edge network)
- Encrypted at rest (Neon-managed Postgres, AES-256)
- Stripe handles all payment data (PCI DSS Level 1 certified — Minnow never touches card numbers)
- Passwordless authentication — no passwords stored, no password leaks possible
- Database-backed sessions (revocable, no long-lived JWT secrets to leak)
- Append-only audit log on every state transition — every order, swarm, payment, and gift claim leaves an immutable event row
- Per-organization data isolation enforced at the query layer (no cross-tenant data access)
Sub-processors
We use a small set of SOC 2 Type 2-certified vendors for the parts of the stack we don’t run ourselves.
| Vendor | Role | Compliance |
|---|---|---|
| Vercel | Hosting + edge | SOC 2 Type 2 |
| Neon | Postgres database | SOC 2 Type 2 |
| Stripe | Payment processing | PCI DSS Level 1, SOC 2 Type 2 |
| Resend | Transactional email | SOC 2 Type 2 |
| Google (Gemini) | AI helpers | SOC 2 Type 2 |
| Vercel Blob | File storage | SOC 2 Type 2 |
Roadmap
- SOC 2 Type 1 audit — Q1 2027
- Annual penetration testing — scheduled Q3 2026
- Vendor security packet — available on request today
Reporting an issue
Found a security issue? Email security@withminnow.com. We respond within one business day and acknowledge every report. Please don’t disclose publicly until we’ve had a chance to investigate.
Need our security packet for procurement review? We have a one-pager covering controls, architecture, and incident response.
Request the packet