Welcome to the Stacklumen app·Your home for web development
Security & trust

What we do with your data.

We're a small working company building production systems for paying clients. We've taken the practices that matter at our scale seriously, and we've been honest below about the certifications we don't have. If you need something we don't list, talk to us — we'll either scope around it or tell you to use someone else.

Last reviewedJune 2026
Reports tosupport@stacklumen.com
TermsApp & Portal Terms of Use
01

Practices we run today

Identity
Clerk handles authentication. Magic links + Google OAuth on by default; SAML/SSO available for enterprise engagements. Sessions are JWT-bound and rotated regularly. We do not store passwords.
Data hosting
Customer data lives in Supabase (Postgres) hosted in the US (us-east region). The Hub itself runs on Cloudflare Workers via Webflow Cloud — globally edge-cached, no origin server you can hit directly.
Encryption in transit
Everything is TLS 1.3 — Cloudflare terminates and re-encrypts to origin. HSTS preload is on. We don't accept HTTP at any boundary.
Encryption at rest
Supabase encrypts all data at rest with AES-256. Stripe handles payment card data — we never see full PANs. Backup snapshots are encrypted with the same key.
Access control
Row-level security is enabled on every customer-facing table. Staff access is gated by Clerk public_metadata role claims (stacklumen_role). No staff has direct database credentials; even the service role goes through audited API endpoints.
Audit log
Every staff action on customer data (lead status changes, chat messages, contact ticket updates) writes a row to team_activities with the actor's Clerk id, before/after values, and a timestamp. Retained for 24 months.
Backups
Supabase daily backups + point-in-time recovery on a 7-day window. Critical schemas are also exported nightly to encrypted cold storage.
Sub-processors
Listed in our Terms of Use § 04.02. Current: Cloudflare (infra), Supabase (DB), Clerk (auth), Stripe (billing), Resend (email), Sentry (errors), Webflow Cloud (hosting). Each is under contract with equivalent confidentiality + security obligations.
02

Reporting + response

Vulnerability reports
Email support@stacklumen.com with "SECURITY" in the subject. We acknowledge within one business day and ship a fix or mitigation within seven days for high-severity issues.
Incident response
If something does go wrong: we notify affected clients within 72 hours per GDPR-style obligations, publish a post-incident writeup on the changelog, and credit you appropriately for any service interruption.
Data deletion
Email us and we delete your account-identifying data within 30 days, complete the deletion across primary databases and routine backups within 90 days, and confirm in writing. Encrypted backups roll off on their own 35-day rotation.
03

What we don't have (yet)

Honesty over polish. Here's what enterprise buyers sometimes ask for that we can't provide today — and what we're doing about it.

SOC 2
Not certified. Targeting Type I in 2026 once we hit a customer-count threshold that justifies the audit cost.
HIPAA / BAA
Not currently available. We can scope an engagement to avoid PHI; talk to us if you need a BAA.
Penetration testing
Self-tested internally; no third-party pen test report yet. On the 2026 roadmap.
Got a security question?

Email a human, get a real answer.

No legal-team gatekeeping, no two-week wait. We answer security and procurement questions inside one business day, in writing, signed by name.

support@stacklumen.com Open contact form
Deployed with Webflow