Security & Disclosure

If you have identified a security issue in any system operated by SK102, please email security@sk102.co. We monitor this address and respond to confirmed reports within 72 hours.

We support coordinated disclosure. If you provide reasonable time for remediation before public disclosure, we will not pursue legal action against good-faith research.

A machine-readable disclosure policy is available at /.well-known/security.txt.

• All client communication uses TLS 1.3 over HTTPS.
• Email is secured with SPF (hard fail), 2048-bit DKIM signing, and DMARC enforcement (p=reject).
• Client data is stored only on infrastructure the client controls or has explicitly authorized. Source code lives in the client's version control account from the first commit, not ours.
• Credentials are never stored in source control. Secrets management uses environment variables, encrypted at rest, with rotation on personnel changes.

• Every change goes through pull request review before merge to the main branch.
• Pre-commit hooks run linters, type checks, and the test suite locally.
• Continuous integration runs the same checks on every PR. Failed checks block merge.
• Post-merge CI re-runs full integration tests and security scans against the merged main branch.
• Direct pushes to the main branch are disabled.
• Dependency updates are reviewed for breaking changes and known vulnerabilities before merge.

• Production traffic is fronted by Cloudflare for DDoS protection, WAF, and TLS termination.
• Application servers run in containerized environments with limited host privileges.
• Logs are retained for incident review and rotated on a defined schedule.

If a security incident occurs that affects a client's data or systems, the client is notified within 24 hours of confirmation, with a summary of what is known, what remediation is in progress, and what the client should do. A written postmortem follows within 14 days.

We are not currently SOC 2 certified, nor are we HIPAA-attested. We follow the controls and disciplines those frameworks codify, and we will pursue formal attestation as the practice grows. We will not represent ourselves as certified before we are.

• Security disclosures: security@sk102.co
• Privacy questions: privacy@sk102.co
• General inquiries: info@sk102.co