Skip to main content

Compliance

Security & Data Handling

Mosaic Ridge LLC hosts production workloads on US-based infrastructure with TLS-enforced transport, role-based access control, database row-level security on all multi-tenant data, and an OWASP-aware build process. Detailed security documentation is available to qualified prospects under NDA.

Hosting & sub-processors

Application hosting
Vercel — US-based regional edge network with serverless compute. SOC 2 Type 2 attested.
Database
Supabase managed Postgres — SOC 2 Type 2 attested. Encrypted at rest with backups retained per service tier.
Email transport
Resend — transactional email with TLS-enforced delivery and DKIM/SPF on all outbound mail.
Payment processing
Stripe — PCI DSS Level 1. We never store payment card data.
Object storage
Supabase Storage with row-level security enforced for tenant isolation.

A complete sub-processor list is provided to qualified prospects under NDA as part of vendor diligence.

Transport & authentication

  • TLS 1.2+ enforced on every public endpoint
  • Strict-Transport-Security headers on all marketing and authenticated routes
  • HTTP/2 on all production deployments
  • All authentication flows use PKCE-protected OAuth

Access control

  • Role-based access control on all administrative interfaces
  • Database-level row security on every multi-tenant table
  • Sessions secured with httpOnly + Secure + SameSite cookies
  • Audit log of administrative actions (admin dashboard CRUD)

Data handling

  • Client data is encrypted at rest by the underlying database providers
  • We do not store payment card data — Stripe handles all PCI scope
  • Data residency: production workloads run in US-based regions
  • Backup retention follows the service tier of the underlying database; documented per-engagement
  • Sub-processor list provided to qualified prospects on request

Build process & standards

  • Custom-coded Next.js — no third-party CMS plugin attack surface
  • OWASP Top 10 awareness baked into the build process
  • Automated dependency scanning and patching via Dependabot
  • All deployments require lint, type-check, test, and build to pass before merge
  • Security advisory disclosures via npm audit reviewed on every dependency change

Incident response

  • We document and disclose security incidents to affected clients within 72 hours of confirmation
  • Detailed incident response plan available under NDA for procurement diligence
  • Post-incident reports include root cause, remediation, and prevention measures

Standards summary

  • Accessibility: WCAG 2.1 Level AA (see Accessibility Statement)
  • Section 508: Section 508 conformant on public-sector engagements
  • Application security: OWASP-aware build process. No third-party CMS plugin attack surface.

Request security documentation

For vendor due-diligence reviews, we provide a more detailed security packet under NDA on request, including sub-processor list, incident response plan, data flow diagrams, and architecture summary.

Request security documentation
Call (540) 225-2263