Our Security Stance
We follow the principle of least privilege across all systems. Every engagement starts with a threat model conversation: what data is sensitive, what blast radius matters, what compliance applies. We design from there.
Data Handling
Client data is encrypted in transit (TLS 1.2+) and at rest where the underlying processor supports it. We segment client environments: no shared credentials, no shared databases. Access is granted by named individual, time-bound where practical, and reviewed quarterly.
Production secrets live in managed secret stores (1Password, Vercel/Railway env, cloud-native KMS where applicable). Secrets never enter Git, never appear in logs, never sit in chat threads.
Compliance
We are working toward formal certification:
- SOC 2 Type II: readiness assessment underway. Targeted audit window: Q4 2026.
- ISO 27001: gap analysis complete. Roadmapped post-SOC 2.
Until those are formal, we operate under documented internal policies that mirror the SOC 2 control families. Available on request under NDA.
Reporting a Vulnerability
If you've found a security issue in any CirclStdio property (this site, a client deliverable, an open-source artifact), please email security@circlstdio.io.
Include: a description of the issue, reproduction steps, and the impact you observed. Please don't publicly disclose until we've had a reasonable window (typically 90 days) to investigate and remediate.
We do not currently run a paid bounty program but will publicly credit researchers (with permission) on this page once we have advisories to publish.
Recent Advisories
◉ NONE TO DATE.
Contact
Security: security@circlstdio.io
General: contact@circlstdio.io