/00Trust & Security
How we protect your data.
Healthcare and financial teams: a Data Processing Agreement is available on request.
/01Security practices
Encryption in transit & at rest
HTTPS/TLS everywhere; data encrypted at rest by our infrastructure provider.
Bot & spam protection
Every public form is protected by Cloudflare Turnstile and server-side validation.
Rate limiting & WAF
Per-IP and per-route rate limiting plus an edge web application firewall.
Least-privilege access
Role-based access control enforced server-side on every authenticated route.
Append-only audit log
All portal and admin mutations are written to an immutable audit log.
Secrets management
No secrets in code; credentials are held in a managed secret store.
/02Compliance posture
| SOC 2 Type II | Roadmap — controls being implemented |
|---|---|
| ISO 27001 | Roadmap |
| Data Processing Agreement (DPA) | Available on request |
| Data residency | EU and US hosting regions available for managed engagements |
| GDPR data-subject requests | Honoured — see below |
/03Sub-processors
We use the following sub-processors. We do not sell personal data. See our Privacy Policy and Cookie Policy.
| Supabase | Managed Postgres database hosting |
|---|---|
| Resend | Transactional email delivery |
| HubSpot | CRM / sales pipeline |
| Cloudflare | Bot protection (Turnstile) and edge/WAF |
| Calendly | Consultation scheduling |
| Google Analytics 4 & Microsoft Clarity | Product analytics — loaded only after cookie consent |
/04GDPR request
Request access, correction, deletion, export, or object to processing of your personal data. You can also email privacy@sunar.dev.