Security

This page summarizes how Rich in Thought LLC protects data in the VITAL Suite dashboard product (the "Service"). A deeper security-posture document is available to prospective customers and vendor reviewers at security@richinthought.com.

1. Data flow

The Service reads financial, payroll, CRM, and marketing-automation data from third-party services (QuickBooks Online, Gusto, HubSpot, ActiveCampaign) via each service's OAuth 2.0 authorization flow. We request read-only scopes and never hold write credentials. Data is pulled on a nightly cadence plus on-demand from the connected user's dashboard.

2. Encryption

• In transit: All customer-facing traffic uses HTTPS with TLS 1.3. Internal service-to-service calls use TLS 1.2+. HTTP Strict Transport Security is enforced at the edge.
• At rest: OAuth access and refresh tokens are encrypted with Fernet (AES-128-CBC with HMAC-SHA256 authenticated encryption) before being written to the database. Database volumes are encrypted with AES-256 by our cloud provider.
• Key management: Encryption keys are stored as environment secrets in our hosting platform (Railway), rotated at least annually, and accessible only to production systems and a limited set of engineers.

3. Tenant isolation

Every customer tenant has its own company_id scope. Isolation is enforced at two layers:

• Application layer: Every query that reads tenant data explicitly filters by company_id derived from the authenticated session.
• Database layer: PostgreSQL Row-Level Security policies scope reads and writes by company_id for user-session clients. Encrypted credential columns are accessible only to our service role, never to a user-session query.

4. Authentication

• Passwords hashed with bcrypt (cost factor 12+).
• Two-factor authentication via TOTP is required for every login. We do not send verification codes by SMS.
• OAuth 2.0 + PKCE for sign-in with Google (when used).
• Sessions are signed with an application secret and expire after a bounded idle window.

5. Infrastructure

• Hosting: Railway (AWS-backed compute, US regions). SOC 2 Type 2 attested.
• Database: Supabase (managed PostgreSQL, US regions). SOC 2 Type 2 attested.
• Email: ActiveCampaign for transactional and product email. ActiveCampaign's security controls are documented at activecampaign.com/security.
• Edge + DNS: Fastly + Cloudflare managed by Railway.

6. Operational controls

• Structured request logs with tenant-scoped identifiers for security monitoring, retained 90 days.
• Anomaly review and rate-limit enforcement on authentication endpoints.
• Automated nightly backups of the production database retained per Supabase's documented retention policy.
• Dependency-vulnerability scanning on every commit (GitHub Advanced Security + Bandit).
• Every deploy tagged with a git SHA; rollback is a single-click Railway operation.

7. Incident response

If we discover a security incident affecting customer data, we notify affected customers within 72 hours (per GDPR Article 33) with the nature of the incident, the data involved, our remediation steps, and the incident-response contact. Report suspected incidents to security@richinthought.com.

8. Responsible disclosure

We welcome security research. If you identify a vulnerability:

• Email security@richinthought.com with details and reproduction steps.
• Do not publicly disclose before we have had a reasonable chance to remediate (typically 30 days; longer for complex issues).
• Do not exfiltrate real customer data while testing; use your own tenant.
• Do not run denial-of-service tests against production.

We do not currently run a paid bug bounty, but meaningful reports are acknowledged and credited with the reporter's permission.

9. Vendor reviews

For customer security questionnaires, SIG Lite, or CAIQ submissions, request the VITAL Suite Security Posture document at security@richinthought.com. We respond within two business days.