Security
Built for an audience that checks
Our users evaluate security postures for a living. Here is ours, stated plainly, including what we deliberately do not have.
Architecture
- Static-first. The site is pre-rendered HTML served from Cloudflare's edge. There are no sessions, no cookies, no accounts, and no server-side rendering: the attack surface for reading this site is a static file.
- Three small write endpoints (email capture, Network profiles, recruiter briefs) run as Cloudflare Pages Functions. Each validates input, enforces per-IP rate limits, filters bots, and writes to isolated, access-controlled KV namespaces. Nothing they store is ever rendered back to the web.
- Interactive tools run entirely in your browser. Readiness and Scapegoat scores are computed client-side; answers are never transmitted.
- Transport and browser hardening: HSTS, a restrictive Content-Security-Policy, X-Frame-Options DENY, nosniff, strict referrer policy, and a locked-down Permissions-Policy on every response.
Data handling
- Data minimalism by design: we store what the forms show and nothing else. No IP addresses are retained (country code only), no tracking cookies, no advertising pixels.
- Network profiles are read only by the operator for double-opt-in matching, shared with vetted recruiters in anonymized form, and deleted on request within 72 hours. Details in the privacy policy.
- Payments never touch our infrastructure; they are processed by the payment provider.
What we don't claim
No SOC 2 report, no bug bounty program, and no 24/7 security team: this is a small product run by a practitioner, secured by keeping the design boring and the data minimal. We would rather tell you that than imply otherwise with a page of badges.
Vulnerability disclosure
Found something? We want it. Email hello@cisoprep.com (also published at /.well-known/security.txt). You'll get a human reply within two business days, credit if you want it, and no legal theater for good-faith research.