Security & Privacy Pack
The posture behind the platform.
No marketing fluff. The exact controls, encryption, authentication, and compliance stance we run in production — plus the formal-verification stance adopted from research into agentic systems.
Six pillars.
Encryption
TLS 1.3 in transit. AES-256 at rest via Neon Postgres + Railway managed storage. Secrets in Railway environment layer; zero plaintext in repo.
Authentication
Clerk-managed auth (SOC2 Type II upstream). WebAuthn passkeys supported. MFA enforced for operator surfaces. Session JWTs rotate on refresh.
Authorization
Claims-based fine-grained permissions. Middleware gates /dashboard and /portal; all /api routes run through api-guard with schema validation.
Rate limiting
Upstash Redis sliding-window counters across public APIs. Arcjet bot + shield rules on ingress.
Monitoring
Sentry error tracking with release tags. PostHog product analytics. /api/health probe every 5min. Structured logs with 7-year retention.
Formal verification
Z3 SMT solver adopted as posture (reference: "Broken by Default" research, 97.8% reported catch rate). Critical paths verified against invariant specs.
Compliance & audit.
| Regime | Status | Notes |
|---|---|---|
| PDPL (Jordan) | Compliant | Data minimization, consent tracking, DPO appointed (Reem). Processing registry maintained. |
| GDPR (EU persons) | Compliant | Lawful basis documented per processing activity. DSAR workflow live. |
| EU AI Act | Readiness in progress | Aug 2 2026 GPAI deadline. Risk classification complete. Technical docs drafting. |
| SOC 2 Type II | Roadmap Q4 2026 | Controls mapped against CC1–CC9. Vanta or Drata engagement targeted. |
| Penetration test | Scheduled Q3 2026 | Third-party engagement. Report excerpt published here post-test. |
Trust Pack · v1
Machine-readable trust artifacts.
Every public security claim on this page is backed by a structured artifact below — for procurement review, agent consumption, and audit trails.
/security/subprocessors
Subprocessors →
Every third party processing STEADYWRK data — role, region, SOC2, DPA link.
/security/data-flow
Data flow →
Inbound → Edge → App → Data → Egress. Every hop, named.
/trust/subprocessors.json
Subprocessors JSON →
Source-of-truth JSON for agents, crawlers, and procurement pipelines.
/.well-known/security.txt
security.txt (RFC 9116) →
Contact, canonical URL, expiration, and policy for security researchers.
Responsible disclosure.
Found a security issue? Email security@steadywrk.app with proof-of-concept and reproduction steps. We acknowledge within 24 hours and coordinate disclosure. No bug bounty yet; we ship credit and a thank-you issue.