Encryption, access controls, audits. Boring, critical, done right.
TLS 1.3 in transit. AES-256 at rest. Secrets in AWS KMS. Full-disk encryption on every production volume.
SSO + 2FA required for all staff. Principle of least privilege. Engineer access is logged and reviewed quarterly.
Daily encrypted backups. 30-day retention. Restore drills run monthly. Cross-region replication for disaster recovery.
24/7 anomaly detection on auth events, payments, and data access. Automated alerting to on-call.
SOC 2 Type II audited annually. Penetration tests twice a year by a third-party firm. Report available on request.
AWS us-east-1. Private VPC. No production data ever touches developer laptops. CI/CD with signed deploys.
Certifications and frameworks we align with. We publish honestly — if we don't have it, we'll say so.
Please email info@z6coaching.com with details. We'll acknowledge within 24 hours and patch critical issues within 7 days.
Rules: don't access data that isn't yours, don't disrupt the service, don't publish until we've patched.
We don't run a formal bug bounty program yet — but we send thank-you swag, a public credit on this page (if you want it), and a real conversation with engineering. We're working on something more formal.
Rate-limit bypass
IDOR on exports
CSRF in webhook settings
XSS in rich-text editor