Security

Infrastructure

CPAM runs on Vercel (application layer) and Amazon Web Services (database and storage). Both providers maintain SOC 2 Type II certification and ISO 27001 compliance. Application code is deployed from a locked-down CI/CD pipeline with branch protections and required review on all production changes.

Data is stored in a managed PostgreSQL database hosted on AWS RDS. Database instances are not publicly accessible — all connections route through a private VPC. Automated daily backups are retained for 30 days.

Encryption

Data at Rest

All data stored in our database is encrypted at rest using AES-256. API credentials you connect (FRED, BLS, EIA, etc.) are stored using envelope encryption with per-tenant keys — your credentials are never stored in plaintext.

Data in Transit

All connections to cpam.app use TLS 1.3. HTTP connections are automatically redirected to HTTPS. HSTS is enforced with a 1-year max-age and preloading.

Access Controls

Team-level Isolation

Every piece of data in CPAM — contracts, formulas, index series, audit logs — is scoped to a tenant ID. There is no way to query data across tenants.

Role-based Access

Team owners, administrators, and members have different permission levels. You control who on your team can view, edit, or export data.

CPAM Staff Access

CPAM engineers do not have routine access to customer data. Access to production systems requires MFA, is logged, and is limited to a small number of on-call engineers for support and incident response purposes.

Authentication

• Passwords are hashed using bcrypt with a work factor of 12 — we never store plaintext passwords
• Multi-factor authentication (MFA/TOTP) is available and strongly recommended for all accounts
• Session tokens are rotated on each login and expire after 7 days of inactivity
• Failed login attempts trigger rate limiting and account lockout after repeated failures

API Security

Public API keys (used for the REST API v1) are stored as HMAC-SHA256 hashes — the plaintext key is shown once at creation and never stored. All API endpoints enforce rate limiting: 60 requests/minute per key by default. Requests are rejected if the key is invalid, expired, or over quota.

Audit Logging

Every data modification in CPAM generates an immutable audit log entry recording: who made the change, when, from which IP address, and what was changed. Audit logs are retained for 7 years and cannot be modified or deleted through the application interface.

Incident Response

CPAM maintains a documented incident response plan. In the event of a confirmed security breach:

• Affected customers will be notified within 72 hours
• GDPR supervisory authorities will be notified where required by law
• A post-incident report will be published for material incidents

Security incidents can be reported to security@cpam.app

Responsible Disclosure

We welcome security researchers who responsibly disclose vulnerabilities. If you discover a security issue, please email security@cpam.app with a description of the vulnerability and steps to reproduce. We commit to:

• Acknowledging your report within 2 business days
• Providing a status update within 7 days
• Not pursuing legal action against researchers acting in good faith

Please do not: access or modify data that is not yours, perform denial-of-service attacks, or publicly disclose the vulnerability before we have had a reasonable opportunity to address it.