Security Posture
A one-page summary of how PartsPort protects Customer data. For procurement questionnaires, see also the DPA and the subprocessor list.
1. Encryption
Data in transit is protected with TLS 1.3 between client browsers and PartsPort, and between PartsPort and its service providers. HTTP requests to the platform are redirected to HTTPS.
Data at rest is encrypted with AES-256 by our managed database provider (Neon) and our blob storage provider (Vercel Blob). Database backups are encrypted by the provider.
2. Authentication
User passwords are stored as bcrypt hashes with a per-user salt; PartsPort never stores plaintext passwords. A minimum password length of 8 characters is enforced.
Optional TOTP-based two-factor authentication is available to every user. Account events that change credentials (password reset, password change, 2FA disable, email change confirmation, account self-delete) invalidate all existing sessions server-side by bumping a sessionsValidFrom timestamp checked on every request.
Session tokens are signed JWTs issued by the platform with the signing secret rotated as a procedure; the platform refuses to start in production unless the secret is at least 32 characters long.
4. Infrastructure
Application hosting: Vercel, primary region US-East. Database: Neon managed Postgres, US-East. Blob storage: Vercel Blob. Rate limiting: Upstash Redis. Error tracking: Sentry. Email: Resend. Payments: Stripe. Freight: Shippo. AI inference: Anthropic. DNS and edge: Cloudflare.
All Customer Personal Data is processed in the United States. PartsPort does not currently transfer Customer Personal Data outside the United States in the ordinary course of operating the Service.
5. Vulnerability management
Production errors and security-relevant exceptions are captured by Sentry and reviewed. Dependency updates and security advisories are tracked via GitHub Dependabot and reviewed against the application's dependency graph.
Code changes flow through a single-branch review process with build gating; production deploys are blocked when the build is failing. Material changes to authentication, authorization, payments, or freight pricing receive a manual review pass focused on security.
6. Incident response
PartsPort maintains an incident response process targeting initial notification of affected customers within 24 hours of confirming a Personal Data Breach. Affected user accounts are isolated where appropriate (forced password reset, session invalidation, role suspension) while the incident is investigated and contained.
Post-incident, PartsPort produces a short written summary covering scope, root cause, remediation, and follow-up actions, available to affected Customers on request.
7. Compliance status
PartsPort is working toward SOC 2 Type II readiness. PartsPort does not hold a current SOC 2 attestation and does not hold an ISO 27001 certificate. PartsPort has not engaged a third-party auditor to attest to its controls at this time. PartsPort will publish any future attestation status on this page.
PartsPort honors data subject rights under GDPR and CCPA as described in the Privacy Policy and Data Processing Addendum.
8. Data retention and deletion
Audit log entries are retained for 90 days for security investigations and trend analysis. Financial and transaction records (orders, invoices, payouts, tax records) are retained for seven years to satisfy IRS and equivalent record-keeping requirements.
Account information is retained while the account is active. On account closure, identifying details are anonymized and the account is hard-deleted after a 30-day grace period.
9. Reporting a vulnerability
Send vulnerability reports to security@partsport.agentgaming.gg. Include reproduction steps and an affected URL. PartsPort acknowledges reports within 5 business days and does not pursue legal action against good-faith security research conducted within the scope of this page.