Application and infrastructure security
- Traffic served via Cloudflare edge infrastructure with TLS in transit.
- Security headers configured at the application level.
- Secrets managed through environment configuration and not hardcoded in source.
Security
This page describes current factual controls for ControlTeamHQ launch operations.
Billing security
- Stripe-hosted Checkout handles card collection.
- Webhook signatures are validated for inbound Stripe events.
- Outbound provisioning webhooks are signed using timestamped HMAC SHA-256 headers.
Access control and operations
- Production access is restricted to authorized operators.
- Changes are deployed through controlled release workflows.
- Incident handling follows triage, containment, and customer communication steps.
Current limitations
No certification claims (for example ISO 27001/SOC 2) are made at this stage. This page will evolve as controls and attestations mature.