Skip to content
Startup ScreenerSecurity & Trust
Sign In
Security & trust

Current security posture, documented narrowly and without unsupported compliance claims.

This page describes the controls visible in the current source and live deployment path. It is intended to make the founder-led product easier to evaluate, not to imitate a larger enterprise trust center.

Open privacy policyFounder and product context

Responsible owner

Nay Linn Aung

Founder & Full-Stack Engineer

na27@hood.edu

Public trust summary

HTTP response headers are hardened at the edge.

Sessions use HttpOnly cookies and production secure-cookie validation.

SOC 2 is not claimed here because it is not in place.

Implemented controls

Controls that are currently documented in source and deployment

These are the operational and application-level safeguards Startup Screener can support publicly today.

Transport and edge headers

The live site is served over HTTPS behind Caddy with HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers.

Authentication and sessions

Local accounts use server-managed HttpOnly session cookies. Production startup validation rejects insecure session-cookie configuration and the default secret key.

Anonymous abuse controls

The public quick-screen route supports IP-hash-based rate limiting, and the tracked configuration defaults to 5 uploads per 1 day for anonymous quick-screen use.

Secrets and runtime configuration

Sensitive settings support file-backed secret injection, including SECRET_KEY_FILE, DATABASE_URL_FILE, and ANTHROPIC_API_KEY_FILE, while the Google path prefers service-account credentials.

Observability and readiness

API responses emit X-Request-ID, the API logs structured request lines with method, route, status, latency, and client IP, and health plus readiness endpoints are exposed for monitoring.

Data cleanup controls

Anonymous quick-screen expiry purges stored files and rows after 7 days, and local-account deletion removes owned workspace data plus associated storage artifacts.

Runtime visibility

Health, readiness, and monitoring details

The live deployment and the tracked docs expose a modest but real operational layer rather than only brochure-level claims.

Prometheus metrics

Platform-admin monitoring can scrape a Prometheus-compatible endpoint for request, queue, fallback, and manual-review metrics.

Writable storage checks

The readiness path checks both database connectivity and writable storage instead of returning an unconditional success payload.

Same-origin web/API path

The web app uses a same-origin /api boundary in deployment, which keeps browser API traffic on the site origin instead of exposing a separate public frontend-to-API domain.

Explicit non-claims

What this site does not claim

Startup Screener does not claim SOC 2 certification on this public site.

Startup Screener does not claim a third-party security audit or penetration-test report that is not published here.

Startup Screener does not claim HIPAA, ISO 27001, or broader enterprise compliance coverage that is not documented in the tracked source and public deployment materials.

If the public trust posture changes in the future, this page should be updated to reflect the real implementation and published evidence rather than aspirational compliance language.