This page documents our security practices plainly. No marketing language. If something is not done, we say so.
Your Browser
HTTPS · TLS 1.2+
Vercel Edge CDN
SOC 2 Type II · Global
Edge Auth
HTTP Basic · Admin only
React Application
Served from CDN
API Routes
Serverless functions
Supabase
SOC 2 Type II · RLS policies
Admin paths intercept at the edge before any application code runs. Client data never leaves the Supabase project scoped to that engagement.
Every engagement starts with a signed scope document. Every delivery ships with a runbook, recovery procedure, and change log. Nothing leaves without documentation.
API keys, credentials, and environment secrets are never committed to version control. Environment variables are provisioned via the deployment platform (Vercel) and rotated on access-change events.
Admin surfaces are gated at the Vercel edge via HTTP Basic Auth before any content is served. They are absent from the sitemap, disallowed in robots.txt, and never linked from public pages.
Dependencies are pinned to known versions. Dependabot and manual audit reviews are run on a regular cadence. Unused packages are removed.
We collect only the data required for a specific engagement. CRM and ops data live in Supabase with row-level security policies. Client data is never commingled across engagements.
Every shipped system includes a documented recovery procedure tested before delivery. Database backups are configured at the infrastructure level. Recovery time is specified in the runbook.
Principle of least privilege applied to all service accounts and API integrations. Credentials are scoped to the minimum permissions required. Access is revoked immediately at engagement close.
All client communication over encrypted channels. Documents and sensitive materials shared via link-protected storage, not email attachments. NDAs executed for engagements that involve proprietary data.
We are honest about being a single-operator practice. Every engagement ships with runbooks, recovery procedures, and credential escrow so a vetted backup operator can take over within a defined window. The continuity plan is shared in writing for engagements where it matters.
SOTO ⟂ DEV is an independent AI engineering studio operating from San José, Costa Rica. We do not currently hold SOC 2 Type II, ISO 27001, or other formal certifications. We are a single-operator practice: one named engineer (Alvin Soto) holds primary access, backed by a documented continuity plan — runbooks, recovery procedures, and credential escrow so a vetted backup operator can take over delivery if the principal is unavailable. Enterprises requiring certified infrastructure should discuss their specific requirements on a discovery call — we can scope and architect compliant solutions that route through certified cloud providers and meet your security requirements.
Security questions specific to your engagement? Send them directly.
Report it to rs@sotoprojdev.com with "Security disclosure" in the subject line. We will acknowledge within 24 hours and respond with a remediation timeline within 72 hours. We do not pursue legal action against good-faith security researchers.