Security at Gray Reserve is engineered, not outsourced. Every layer of our stack — hosting, database, auth, background jobs, email, monitoring — is selected for its security posture and instrumented from day one. We build to a SOC 2 Type II baseline without chasing a certificate for marketing, because the controls are what actually keep your data safe.
Infrastructure
The Gray Reserve marketing site and growth platform run on a hardened edge stack:
- Vercel Edge Network. Global CDN and serverless compute with automatic TLS, DDoS absorption, and deployment isolation.
- Neon Postgres. Serverless PostgreSQL hosted in U.S. regions, with point-in-time recovery, branch isolation for preview environments, and automatic failover.
- Cloudflare. Authoritative DNS, edge caching, bot management, WAF rules, and rate limiting in front of every origin.
- Cloudflare R2. Object storage for reports, audit exports, and binary assets with zero-egress pricing and S3-compatible access controls.
- Inngest. Durable background job runner with built-in retry, concurrency limits, and step-level observability.
We do not self-host security-critical infrastructure. Every primary vendor in our stack maintains SOC 2 Type II or ISO 27001 certification.
Encryption
All data in transit is protected with TLS 1.2 or higher.
HTTPS is enforced by HSTS with a one-year max-age and
includeSubDomains; HTTP
requests are rejected at the edge. Our TLS configuration
scores A+ on Qualys SSL Labs.
All data at rest is encrypted with AES-256. Neon Postgres encrypts storage and snapshots at the platform level. Cloudflare R2 encrypts every object with server-side encryption. Backups inherit the same encryption guarantees as the primary store.
Authentication
Authentication for the Gray Reserve growth platform is managed by Clerk. Clerk provides hardened password hashing (bcrypt with per-user salt), session management with secure HTTP-only cookies, multi-factor authentication via TOTP and WebAuthn, and automatic device fingerprinting to detect suspicious sign-ins.
MFA is required for every internal Gray Reserve account and offered to every client account. Administrative sessions expire after 24 hours of inactivity. Failed login attempts are rate limited at the edge and trigger alerts after repeated anomalies.
Secrets management
Application secrets — API keys, database URLs, webhook signing keys — are stored exclusively in Vercel environment variables, scoped per environment (production, preview, development), and never committed to source control. Developer secrets are stored in a shared Bitwarden vault with organization-level access controls.
We do not use shared production credentials. Every integration key is uniquely issued, and rotation is triggered automatically by any departure, role change, or suspected exposure.
Access control
Access to client data follows the principle of least privilege. Roles are explicit and enforced at the application layer:
- Super admin. Jeff Gray only. Required for billing, account provisioning, infrastructure changes.
- Engagement lead. Assigned per client engagement, scoped to the client workspaces that person operates.
- Contractor. Time-bound access to specific workspaces for a specific deliverable. Revoked automatically at contract end.
- Client. Access limited to the client's own workspace. Cannot see other clients' data, ever.
Every privileged action — role change, data export, secret rotation, production deployment — is logged to an append-only audit trail and reviewed weekly.
Monitoring & GRRE
Gray Reserve operates an in-house reliability platform called GRRE — the Gray Reserve Reliability Engine. GRRE replaces the usual third-party observability stack (Sentry, Better Stack, PagerDuty) with a purpose-built system that monitors every critical surface from a single pane of glass.
- Uptime and latency probes against every public surface at 60-second intervals.
- Real-time error capture and aggregation from Vercel serverless functions, Inngest jobs, and Neon query logs.
- Anomaly detection on traffic, auth, and database query patterns.
- Alert routing to Slack channels with automatic severity classification and on-call rotation.
- Public status reporting through the platform dashboard for active clients.
Because GRRE is our own software running on our own infrastructure, we have full control over what it sees and where the data lives. Client telemetry never leaves our environment for a third-party observability vendor.
Backups & disaster recovery
Neon Postgres provides continuous point-in-time recovery with a 30-day retention window on all production databases. We perform weekly restore drills against an isolated environment to verify backup integrity.
Our disaster recovery plan targets a Recovery Time Objective (RTO) of four hours and a Recovery Point Objective (RPO) of fifteen minutes for the growth platform. The plan is documented, assigned to named owners, and tested quarterly.
SOC 2 Type II baseline
Gray Reserve commits to operating at a SOC 2 Type II baseline across the five trust service criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. This means our controls — access management, change management, incident response, vendor management, data classification — mirror what a Type II audit would examine, and they run every day whether or not an auditor is watching.
We can make our control documentation available to prospective clients under NDA. For clients who require a formal attestation, we can engage a third-party CPA firm for a scoped audit as part of the engagement.
Vulnerability disclosure
If you discover a security vulnerability in any Gray Reserve property, please report it to security@grayreserve.com. We commit to:
- Acknowledging receipt within one business day.
- Investigating every good-faith report and providing a status update within five business days.
- Remediating valid vulnerabilities on a severity-weighted timeline (critical within 72 hours, high within 7 days, medium within 30 days).
- Crediting researchers in our security advisory notes, if requested.
- Not pursuing legal action against good-faith security research that follows this policy.
Please do not disclose a vulnerability publicly before we have confirmed remediation. Do not access, modify, or exfiltrate data belonging to any user during your research.
Data subprocessors
The complete list of data subprocessors is published in the Privacy Policy and updated whenever a change takes effect. Every subprocessor has been vetted against SOC 2 Type II or equivalent controls, bound by a data processing agreement, and reviewed annually.
Contact
Security questions, vendor due diligence requests, or coordinated disclosure? Reach us through the channels below.