Security

Built on public data. Secured like private data.

The intelligence we serve comes from public federal sources, but our customers’ queries, watchlists, and reports are confidential. Here’s how we protect them.

Practices

Encryption in transit & at rest

All traffic to redmapalert.com is served over TLS 1.2+. Customer data and authentication tokens are encrypted at rest using AES-256 on managed Postgres and Redis providers.

Authentication

Authentication is handled by Clerk with industry-standard session management. Passwordless and OAuth flows are supported. We never store passwords on our servers.

Infrastructure

Hosted on Vercel (U.S. regions) with managed Postgres and Redis. Stripe handles all payment data — RedMapAlert never touches card numbers, CVVs, or bank credentials.

Access controls

Production access is restricted to a small number of engineers, gated by SSO and 2FA. All production changes are logged and reviewed. We follow the principle of least privilege.

Data Handling

  • Customer data we store: account email, organization, watchlists, report history, subscription status. That’s it.
  • Payment data: processed entirely by Stripe (PCI DSS Level 1). We never see card numbers, CVVs, or bank credentials.
  • Subprocessors: Vercel (hosting), Clerk (authentication), Stripe (billing), managed Postgres & Redis providers (data), OpenAI (report generation, no PII sent).
  • Data deletion: account deletion removes all customer data within 30 days. Subscription cancellation does not auto-delete account data — request via support.
  • Geographic scope: data is stored in U.S. regions.

HTTP Security Headers

Every page on redmapalert.com is served with a strict set of browser-enforced security headers.

Strict-Transport-Securitymax-age=63072000; includeSubDomains
X-Frame-OptionsDENY
X-Content-Type-Optionsnosniff
Referrer-Policystrict-origin-when-cross-origin
Content-Security-PolicyStrict CSP with allowlisted sources

Vulnerability Disclosure

If you believe you’ve found a security vulnerability, please report it privately. We’ll acknowledge your report within two business days and work with you on a fix and disclosure timeline.

  • • Email: security@redmapalert.com
  • • Please do not publicly disclose until we’ve confirmed a fix.
  • • We do not yet operate a paid bug bounty, but we’re happy to credit researchers in our changelog.

Compliance Roadmap

RedMapAlert is operated by ECONSTART LLC, a U.S.-based company. We are committed to transparency about our compliance posture as we grow.

  • SOC 2 Type II — in progress with a Drata-style automation provider; report targeted for late 2026.
  • DPA — available on request for paid customers. Contact legal@redmapalert.com.
  • SSO/SAML — available on Enterprise plans.

Have a security or procurement questionnaire? Email security@redmapalert.com and we’ll respond within two business days.