Encryption
- In transit: TLS 1.3 for all API + web traffic.
- At rest: AES-256 for all storage (Cloudflare R2, Neon Postgres).
- API keys: hashed before storage; only displayed once on creation.
Access controls
- Project assets are scoped per-user — no cross-tenant access.
- Admin access is limited to the founder + uses MFA.
- AI prompts are not retained past 24 hours.
Compliance
- SOC 2 Type II — in progress with target completion 2027-Q1.
- GDPR + CCPA — see privacy policy.
Responsible disclosure
Found a security issue? Please email security@shotshq.com.
We commit to:
- Acknowledge your report within 24 hours.
- Provide a remediation timeline within 5 business days.
- Credit you publicly (with your permission) once the issue is resolved.
Please don't exploit or share vulnerabilities before we've had a chance to fix them.