Security & Trust
How StartConsole protects your strategic data. AES-256 encryption, GDPR and CCPA compliant, enterprise MFA, row-level tenant isolation.
DPA, sub-processor list, and VSQ responses are pre-prepared. Use the form below to request them.
Data Encryption
Every piece of personally identifiable information stored in StartConsole is encrypted at rest using AES-256-GCM — the same standard used by financial institutions. All data in transit is protected by TLS 1.2 or higher. HSTS is enforced across every domain so that no unencrypted connection is ever accepted.
- AES-256-GCM encryption for all PII at rest
- TLS 1.2+ enforced for all data in transit
- HSTS across all domains — no plaintext fallback
Access Control & Authentication
Access is governed at multiple layers. TOTP multi-factor authentication is available for all users and enforced for enterprise accounts. JSON Web Tokens are revocable — a compromised session can be terminated instantly. Row-level security at the database layer means a misconfigured query cannot return data belonging to another organisation.
- TOTP MFA — available for all, enforced for enterprise
- JWT revocation — session invalidation in real time
- Row-level security: cross-tenant access is architecturally impossible
- CSP nonce on every page — XSS injection blocked at the browser
- Rate limiting on all auth endpoints via Upstash Redis
GDPR Compliance
StartConsole is GDPR compliant. Articles 15, 16, 17, and 33 are implemented in production — not policy statements, but testable controls.
- Right of Access (Article 15) — data export endpoint live in production
- Right to Rectification (Article 16) — self-service data correction
- Right to Erasure (Article 17) — full purge on account deletion
- Breach notification (Article 33) — 72-hour notification implemented in code
- DPA available on request for all GDPR-jurisdiction customers
CCPA Compliance
All four core consumer rights under the California Consumer Privacy Act are operational.
- Right to Know — personal data disclosure available on request
- Right to Delete — fulfilled within 45 days as required
- Right to Opt-Out — StartConsole does not sell personal data
- Right to Non-Discrimination — no service degradation for rights requests
Payment Security
StartConsole does not store, process, or transmit payment card data. All billing is handled by Paddle, a Merchant of Record that holds PCI DSS Level 1 certification — the highest level available.
- Zero card data stored on StartConsole infrastructure
- All payments processed by Paddle — PCI DSS Level 1 certified
- Paddle compliance documentation available on request
Compliance Roadmap
We are honest about where we are. These certifications require external auditors — not just engineering effort.
Expected: 12–18 months
Controls are SOC 2-ready. Independent audit not yet completed. Enterprise customers can request current controls documentation.
Following SOC 2 Type II
Requires formal ISMS audit. Sequencing correctly — SOC 2 first, ISO 27001 second.
Expected: Q3 2026
Tracking uptime via Vercel and Sentry. SLA will be published when backed by 12 months of verified data.
Need security documentation?
DPA, sub-processor list, VSQ responses, and encryption documentation are pre-prepared.
Request documentation