Security

Security at Notify'n

This page describes the controls we have in place today, the standards we work to, and the items on our roadmap. We aim to be factual rather than aspirational. If something is not on this page, we do not currently do it.

Vulnerability disclosure policy Contact security

AES-256

Encryption at rest (MongoDB Atlas)

TLS 1.3

Transport (Cloudflare and Vercel)

TOTP

Two-factor authentication available

Controls in place today

The protections below are operational. Each one is described in terms of the system it depends on, not in terms of a marketing category.

Encryption at rest

Customer data is stored in MongoDB Atlas. Atlas applies AES-256 encryption at the storage layer for our database cluster.

Encryption in transit

All traffic to and from notifyn.net is served over TLS 1.3 via Cloudflare and Vercel. HSTS is enabled with a one-year max-age and the includeSubDomains directive.

Two-factor authentication

Accounts can enrol in TOTP-based two-factor authentication. Workspace administrators can require it for their members.

Tenant isolation

Notify'n is multi-tenant. Every record is scoped by workspace and access is mediated by the same authorisation layer used by the rest of the application.

Compliance posture

Notify'n does not hold SOC 2, ISO 27001, or HIPAA certifications. The statements below describe how we approach the regulations that apply to us.

GDPR

We process data of EU residents and follow GDPR principles: data minimisation, purpose limitation, and the rights of access, rectification, and erasure. Our DPA is available on request for Enterprise customers.

CCPA

We honour CCPA rights for California residents, including the right to know, the right to delete, and the right to opt out of the sale or sharing of personal information.

CAN-SPAM

Marketing campaigns sent through Notify'n include the unsubscribe handling and identification requirements of the CAN-SPAM Act. Senders remain responsible for the content they choose to send.

Read our Data Processing Agreement

Security roadmap

We list these openly because reviewers should be able to see what is and is not in place. Items move from planned to in development to operational; once operational they appear in the section above.

Planned

SOC 2 Type I report

We have not begun a SOC 2 audit. The intent is to scope a Type I engagement once we have signed our first audit-required Enterprise contract.

Planned

Independent penetration test

We have not commissioned an external penetration test. The plan is one full external test per year, beginning in 2026.

In development

Formal incident response plan

A written incident response and notification plan is being drafted. Today our process is informal and undocumented; we are not claiming a 24/7 SOC.

In development

Vulnerability disclosure policy

A safe-harbour disclosure policy is in place at /security/disclosure and replaces our previous bug bounty page. We do not pay bounties.

Reporting a vulnerability

We welcome reports of security issues affecting Notify'n from researchers who follow our disclosure policy. Reports should be sent to security@notifyn.net.

We do not pay bounties. We provide safe harbour for good-faith research, and may credit researchers whose reports lead to fixes once the underlying issue is resolved.

Read the full disclosure policy

Before you report

Read /security/disclosure for scope and out-of-scope items.
Include reproduction steps and an affected URL or endpoint.
Provide a working proof of concept, not just scanner output.
Do not access, modify, or destroy data beyond what is needed to demonstrate the issue.
Do not disclose publicly until we have had reasonable time to respond.

Questions from a security review?

For questionnaires, DPA requests, or sub-processor enquiries, write to our security address. We reply once a person has triaged the request.

Contact security View DPA

Security

Security at Notify'n

Vulnerability disclosure policy Contact security

AES-256

Encryption at rest (MongoDB Atlas)

TLS 1.3

Transport (Cloudflare and Vercel)

TOTP

Two-factor authentication available

Controls in place today

The protections below are operational. Each one is described in terms of the system it depends on, not in terms of a marketing category.

Encryption at rest

Customer data is stored in MongoDB Atlas. Atlas applies AES-256 encryption at the storage layer for our database cluster.

Encryption in transit

All traffic to and from notifyn.net is served over TLS 1.3 via Cloudflare and Vercel. HSTS is enabled with a one-year max-age and the includeSubDomains directive.

Two-factor authentication

Accounts can enrol in TOTP-based two-factor authentication. Workspace administrators can require it for their members.

Tenant isolation

Notify'n is multi-tenant. Every record is scoped by workspace and access is mediated by the same authorisation layer used by the rest of the application.

Compliance posture

Notify'n does not hold SOC 2, ISO 27001, or HIPAA certifications. The statements below describe how we approach the regulations that apply to us.

GDPR

CCPA

We honour CCPA rights for California residents, including the right to know, the right to delete, and the right to opt out of the sale or sharing of personal information.

CAN-SPAM

Marketing campaigns sent through Notify'n include the unsubscribe handling and identification requirements of the CAN-SPAM Act. Senders remain responsible for the content they choose to send.

Read our Data Processing Agreement

Security roadmap

Planned

SOC 2 Type I report

We have not begun a SOC 2 audit. The intent is to scope a Type I engagement once we have signed our first audit-required Enterprise contract.

Planned

Independent penetration test

We have not commissioned an external penetration test. The plan is one full external test per year, beginning in 2026.

In development

Formal incident response plan

A written incident response and notification plan is being drafted. Today our process is informal and undocumented; we are not claiming a 24/7 SOC.

In development

Vulnerability disclosure policy

A safe-harbour disclosure policy is in place at /security/disclosure and replaces our previous bug bounty page. We do not pay bounties.

Reporting a vulnerability

We welcome reports of security issues affecting Notify'n from researchers who follow our disclosure policy. Reports should be sent to security@notifyn.net.

We do not pay bounties. We provide safe harbour for good-faith research, and may credit researchers whose reports lead to fixes once the underlying issue is resolved.

Read the full disclosure policy

Before you report

Read /security/disclosure for scope and out-of-scope items.
Include reproduction steps and an affected URL or endpoint.
Provide a working proof of concept, not just scanner output.
Do not access, modify, or destroy data beyond what is needed to demonstrate the issue.
Do not disclose publicly until we have had reasonable time to respond.

Questions from a security review?

For questionnaires, DPA requests, or sub-processor enquiries, write to our security address. We reply once a person has triaged the request.

Contact security View DPA