Security

This page describes current factual controls for ControlTeamHQ launch operations.

Application and infrastructure security

  • Traffic served via Cloudflare edge infrastructure with TLS in transit.
  • Security headers configured at the application level.
  • Secrets managed through environment configuration and not hardcoded in source.

Billing security

  • Stripe-hosted Checkout handles card collection.
  • Webhook signatures are validated for inbound Stripe events.
  • Outbound provisioning webhooks are signed using timestamped HMAC SHA-256 headers.

Access control and operations

  • Production access is restricted to authorized operators.
  • Changes are deployed through controlled release workflows.
  • Incident handling follows triage, containment, and customer communication steps.

Current limitations

No certification claims (for example ISO 27001/SOC 2) are made at this stage. This page will evolve as controls and attestations mature.