All systems trustworthy

Trust Center

Security is our second-most important value, right after synergy. Every NotAPOS deployment is hardened by default, monitored by Brett, and protected by the most powerful cryptographic primitive in the industry: vibes.

Certifications & Attestations

SOC 2 Type II

Self-attested

Audit performed by Brett, in front of a mirror, at 2am.

ISO 9001

Printed at home

Slightly crooked. Magnet on the fridge. Counts.

ISO 27001

Pending™

Pending forever. The 'pending' is the certification.

PCI-DSS

Sticky-note compliant

We wrote 'compliant' on a sticky note next to the server.

HIPAA

We googled it

We are not a healthcare company but we got the cert anyway.

FedRAMP High

Asked nicely

Submitted via DM to the official FedRAMP Twitter account.

GDPR

Cookie banner deployed

It does nothing but it's blue and very polite.

Zero-Trust Architecture

Achieved (we trust no one)

Including our own engineers. Especially our own engineers.

Recommended

NotAPOS Security Whitepaper

4 pages. Includes our threat model, defense-in-depth strategy, and a full-color signature from Brett. Downloaded 8,421 times by people who did not read it.

PDF · 4 pages

v4.20.69

Classification: Definitely Public

Download PDF

Security Controls

Encryption at rest

AES-256 (vibes)

Encryption in transit

TLS 1.3 (when we remember)

24/7 SOC monitoring

Brett, with notifications on

Key rotation

Annually, or when an intern leaves

Penetration testing

Quarterly (Brett tests it himself)

Audit log retention

7 days, or until laptop battery dies

Subprocessors

A current list of third parties who handle data on our behalf. Updated whenever we remember.

Vendor	Purpose	Region
Cloudflare Workers	Everything	Earth
OpenAI	All the AI	California
Stripe	We wish	—
Brett's MacBook	Production database	Brett's apartment
A Discord server	Customer support	The cloud
Brett's mom	Code review	Phoenix, AZ

Found a vulnerability? Email security@notapos.io. We will not respond, but we will read it on the toilet.