Security Overview
Last updated: May 31, 2026
Document owner: Chief Information Security Officer (or delegated Security Lead) Review cadence: Quarterly; immediate revision after material control, vendor, or incident changes Effective date: 2026-05-31 Legal entity: EthicPages, Inc. Registered address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ Security contact: ethicpages+contact@invictosoft.com
Overview
EthicPages, Inc. ("EthicPages," "we," "us," or "our") provides a SaaS platform for generating and maintaining procurement-grade Trust Center documentation. This Security Overview explains the technical, administrative, and organizational controls we apply to protect customer information, service availability, and platform integrity.
This page is intended to support security questionnaires, procurement diligence, and customer risk assessments. It complements and should be read with our Privacy Policy, AI Usage Policy, Subprocessors, Data Processing Agreement, Service Level Agreement, and Responsible Disclosure Policy.
No security program can eliminate all risk. EthicPages uses layered controls, continuous monitoring, and incident response processes to reduce security risk to an acceptable level for our service model.
Security governance and accountability
Our security program is risk-based and aligned to common control domains used in procurement review processes.
| Domain | Objective | Program owner | Typical evidence |
|---|---|---|---|
| Governance & policy | Define security standards and accountability. | Security Lead + Legal | Security policies, review logs, approval records. |
| Identity & access | Restrict access to authorized personnel and systems only. | Engineering + Security | Access reviews, role mappings, MFA enforcement. |
| Infrastructure security | Harden hosting and data services against misuse and compromise. | Platform Engineering | Configuration baselines, deployment controls, logging. |
| Application security | Reduce software vulnerabilities and insecure patterns. | Engineering | Code review records, dependency reports, test logs. |
| Incident response | Detect, triage, contain, and remediate security events. | Security + Incident Commander | Incident runbooks, timeline logs, postmortems. |
| Vendor risk | Assess and govern subprocessors with data/security impact. | Security + Procurement | Vendor assessments, contracts, DPA tracking. |
Security policies are reviewed on a quarterly cadence and updated when there are material architecture changes, regulatory shifts, or meaningful incident findings.
Infrastructure architecture
EthicPages relies on managed, security-focused cloud providers to reduce infrastructure risk and improve operational resilience.
Core hosting components
| Layer | Primary service | Security relevance |
|---|---|---|
| Application hosting | Vercel | Managed deployment pipeline, platform isolation, TLS termination, edge and server execution controls. |
| Primary database | Neon (PostgreSQL) | Managed PostgreSQL service with role-based access, encrypted transport, and operational safeguards. |
| Object/content and integrations | Selected subprocessors listed in legal page | Controlled by least privilege and contractual safeguards. |
| Payments | Stripe | Cardholder data handled by PCI-focused processor; EthicPages does not store full card PAN. |
| Email delivery | Resend | Transactional email routing for account and operational notifications. |
We maintain environment separation (for example, production and non-production), with restricted credential scope and deployment controls designed to reduce accidental cross-environment impact.
Data protection controls
Encryption
EthicPages protects data in transit and at rest through industry-standard cryptographic controls and provider-native encryption features.
| Control area | Baseline control | Notes |
|---|---|---|
| In transit | TLS for browser and API communications | Modern HTTPS practices applied across platform endpoints. |
| At rest | Provider-managed encryption for databases and storage layers | Relies on managed service encryption posture and key management capabilities. |
| Secret handling | Secrets stored in controlled runtime configuration systems | Secrets are not committed to source control; access is limited by role. |
| Backup protection | Backup artifacts inherit provider encryption controls | Backup lifecycle and retention follow provider and internal policies. |
Data minimization and retention
We design product flows to collect only the data required to deliver service functionality. Retention periods are documented in our Data Retention page, with deletion and anonymization procedures triggered by lifecycle events (for example account closure, legal hold expiration, or policy retention limits).
Identity, access control, and authentication
EthicPages enforces strict access controls for production systems and customer data.
Better Auth and account security
EthicPages uses Better Auth patterns for server-side session handling and authentication workflows. Security posture includes:
- Auth checks enforced close to sensitive reads and mutations.
- Session and cookie handling configured for secure defaults.
- Role-aware authorization for workspace actions.
- Defensive handling of callback and return URL patterns.
Workforce and operational access controls
| Control | Baseline requirement | Rationale |
|---|---|---|
| Least privilege | Access granted based on role and business need. | Reduces blast radius of account compromise or misuse. |
| MFA | Multi-factor authentication required for privileged systems and admin surfaces. | Protects against credential stuffing and phishing-only attacks. |
| Access reviews | Periodic review of privileged accounts and stale permissions. | Ensures permissions remain current and justified. |
| Joiner/mover/leaver process | Access provisioning and deprovisioning tied to role lifecycle. | Limits orphaned credentials and lingering privileges. |
| Credential hygiene | Strong password and token controls; rotation for sensitive secrets. | Reduces risk of long-lived compromise. |
Administrative access to production systems is logged and monitored to support auditing and investigations.
Secure software development lifecycle
Security is embedded in the development lifecycle using practical controls proportionate to product risk.
SDLC controls
| SDLC stage | Security activity | Outcome |
|---|---|---|
| Design | Threat-informed architecture review for sensitive features. | Early risk identification and mitigation planning. |
| Implementation | Peer review and secure coding standards. | Lower probability of introducing exploitable flaws. |
| Dependencies | Automated dependency checks and update workflows. | Faster response to known vulnerabilities in third-party packages. |
| Testing | Functional and security-oriented validation before release. | Better release confidence and reduced regression risk. |
| Deployment | Controlled CI/CD with environment restrictions. | Prevents unauthorized or unreviewed code promotion. |
Dependency management
EthicPages tracks direct and transitive dependencies and applies risk-based remediation for security advisories. High-severity vulnerabilities are prioritized based on exploitability, affected surface, and compensating controls.
Our approach generally includes:
- Regular dependency update cycles.
- Security advisory monitoring for used libraries.
- Controlled updates with verification in non-production before release.
- Rollback planning for updates that create stability risks.
Logging, monitoring, and detection
EthicPages maintains operational and security telemetry to support service reliability and incident response.
| Telemetry type | Example signals | Use case |
|---|---|---|
| Application logs | Auth errors, API failures, validation exceptions | Troubleshooting and abuse detection. |
| Infrastructure signals | Deployment events, runtime anomalies | Platform health and change tracking. |
| Security-relevant events | Privileged actions, suspicious access attempts | Detection and investigation support. |
| Billing and account events | Plan changes, payment state transitions | Fraud and operational reconciliation. |
Log access is restricted to authorized personnel. Retention is managed according to operational necessity and legal requirements.
Incident response
EthicPages maintains an incident response process for security and availability events.
Incident lifecycle
- Detect and triage: Alerts, reports, and anomalous telemetry are reviewed.
- Contain: Immediate actions are taken to reduce active risk.
- Eradicate and remediate: Root cause is addressed and controls are strengthened.
- Recover: Services are restored with monitoring for recurrence.
- Post-incident review: Timeline, impact, and lessons learned are documented.
| Incident severity | Typical criteria | Response objective |
|---|---|---|
| Critical | Confirmed unauthorized access, broad service compromise, severe customer impact | Immediate mobilization and continuous response until stabilized. |
| High | Significant service degradation or high-risk vulnerability exposure | Accelerated response with same-day containment goals. |
| Medium | Localized issue with limited data or service impact | Planned remediation in short operational window. |
| Low | Minor issue with low exploitability or low impact | Scheduled remediation and tracking. |
Customer communications for qualifying incidents are provided in line with contractual and legal obligations, including relevant facts known at the time and follow-up updates when available.
Business continuity and resilience
EthicPages resilience posture includes redundancy features provided by managed services, controlled deployment practices, and defined recovery workflows. The Service Level Agreement provides uptime and service-credit commitments for eligible plans.
Planned maintenance is scheduled to reduce customer impact and communicated in advance when practicable. Emergency maintenance may be performed without prior notice when required to preserve service security or integrity.
Compliance posture and SOC 2 roadmap
EthicPages is committed to maturing its control environment in line with procurement expectations for B2B SaaS providers.
| Control maturity area | Current posture | Roadmap direction |
|---|---|---|
| Policy framework | Core security, privacy, and legal policy set in place | Ongoing formalization and evidence automation. |
| Operational controls | Identity, logging, incident, and change controls active | Expanded control depth and stronger metrics coverage. |
| Audit readiness | Security evidence gathered for customer diligence | Structured SOC 2 readiness and audit planning. |
| Third-party governance | Subprocessor documentation and contractual controls | Increased periodic diligence depth and attestations tracking. |
SOC 2 planning and sequencing are driven by customer commitments, operational maturity, and audit readiness milestones. Roadmap statements are forward-looking and may evolve.
Responsible disclosure
EthicPages welcomes responsible vulnerability disclosures from security researchers and customers. Please report suspected vulnerabilities through our Responsible Disclosure Policy and contact address.
Submit reports to ethicpages+contact@invictosoft.com with:
- A clear description of the issue and potential impact.
- Reproduction steps, proof-of-concept details, and affected endpoints if known.
- Any timing considerations or active exploitation concerns.
We request that researchers avoid privacy violations, service disruption, or unauthorized data access while testing.
Customer shared-responsibility model
Security outcomes depend on both EthicPages platform controls and customer operational practices.
| EthicPages responsibility | Customer responsibility |
|---|---|
| Secure operation of hosted platform components and managed integrations. | Secure configuration and access governance within customer workspace and organization. |
| Baseline service authentication, authorization primitives, and product safeguards. | Assign appropriate user roles and enforce internal approval workflows. |
| Incident handling for platform-originated security events. | Promptly report suspicious account activity and rotate compromised credentials. |
| Maintenance of legal/security documentation and control updates. | Review and approve published Trust Center content for factual/legal accuracy. |
Changes and document control
We update this Security Overview as controls evolve, infrastructure changes, and compliance programs mature. The "Last updated" date indicates the latest revision. Material security posture updates are reflected in this document and, where relevant, related legal pages.
Related legal references:
- Privacy Policy
- AI Usage Policy
- Subprocessors
- Service Level Agreement
- Responsible Disclosure Policy
- Law Enforcement Guidelines
Security contact
For security questionnaires, customer due-diligence requests, or incident reporting:
- Email: ethicpages+contact@invictosoft.com
- Company: EthicPages, Inc.
- Postal: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
Please include relevant context (customer workspace, affected feature, timeline) to support faster triage.