Security

Sutyr is built for billing reliability, and the same discipline applies to how we protect data. This page summarizes the security of the public sutyr.com surface and links to the documents that hold the detail. It describes what is deployed today and what is planned; present-tense statements are live, and anything forthcoming is dated. It makes no certification claim.

Infrastructure & data protection

Traffic to sutyr.com is encrypted in transit with TLS 1.3, and the certificate is issued by Let’s Encrypt with automated rotation. The site runs on infrastructure operated by providers that hold their own independent security certifications:

• Vercel — hosting and edge delivery (SOC 2 Type II).
• Cloudflare — DNS, WAF, TLS termination, and DDoS mitigation (SOC 2 Type II, ISO 27001).
• Amazon Web Services — primary platform infrastructure (SOC 2 Type II, ISO 27001, PCI-DSS).
• Stripe — payment processing (PCI-DSS Level 1). Sutyr never stores raw payment instrument data.

The Sutyr platform is designed for multi-tenant isolation: authentication and organization scoping run through Stytch, and billing workflows are isolated per tenant on Temporal Cloud. The full sub-processor inventory, with each provider’s purpose and data categories, is published in our Sub-processor Disclosure.

Application security

Every response from sutyr.com ships a strict set of HTTP security headers: HSTS with preload, a Content-Security-Policy with violation reporting, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, a constrained Permissions-Policy, and a strict Referrer-Policy. CSP violations are reported to a first-party endpoint.

• Secure delivery pipeline — every change runs through a continuous-integration pipeline (lint, unit tests, end-to-end tests, and a production build) before it can ship.
• Automated dependency monitoring — third-party dependencies are scanned against the GitHub advisory database, with update pull requests opened automatically.
• Form abuse protection — the application form is protected by Cloudflare Turnstile; submissions are validated server-side.
• Privacy-preserving error monitoring — runtime errors are captured with all submitted form values masked and email addresses hashed before they leave Sutyr’s infrastructure.

Compliance posture

Sutyr’s infrastructure and controls are designed to SOC 2 standards from the first line of code. A formal SOC 2 examination is planned once the platform reaches the customer base that warrants it; we do not claim certification before it is earned. We track NIST FIPS 203 / 204 / 205, NIST IR 8547, and CNSA 2.0 as the cryptographic references.

Privacy & data handling

Sutyr’s privacy posture covers 13 jurisdictions, including Quebec Law 25, PIPEDA, GDPR, and UK GDPR, and a cookieless analytics approach across its web properties. The complete detail — what we collect, the legal bases, retention periods, cross-border transfer mechanisms, and data-subject rights — is in our Privacy Policy. Use of the site is governed by our Terms of Use.

Cryptography & post-quantum

Connections use TLS 1.3 with forward secrecy and hybrid post-quantum key agreement: post-quantum capable clients negotiate X25519MLKEM768 (classical X25519 combined with ML-KEM-768, FIPS 203), so the confidentiality of the key exchange resists a future quantum computer. DNSSEC is enabled, so DNS responses for sutyr.com are authenticated. A machine-readable inventory of this cryptography is published in OWASP CycloneDX format at /.well-known/cbom.

Reporting a vulnerability

We welcome responsible disclosure. Security contact and terms are published per RFC 9116 at /.well-known/security.txt. Reach the security team directly at security@sutyr.com.

Ownership & review

This posture is owned by Toufic Jrab, founder, Sutyr Inc. It is reviewed at least annually, and whenever the deployed security controls or the applicable standards materially change. Next scheduled review: June 19, 2027.