Security

Effective: May 9, 2026

Security is foundational to Beeping. This page describes the administrative, technical, and physical safeguards we use to protect personal information, the Services, and your data, and how to reach us if you find a vulnerability.

1. Infrastructure

The Services run on Google Cloud Platform in US regions. We rely on Google Cloud's underlying physical security, network isolation, and SOC 2, ISO 27001, ISO 27017, and ISO 27018 certifications.

2. Encryption

• In transit: TLS 1.3 for all client-to-server traffic. Older TLS versions are disabled.
• At rest: AES-256 encryption applied transparently by Google Cloud's storage layer for all databases, object storage, and backups.
• Secrets: API keys, OAuth tokens, and credentials are stored encrypted; production secrets are managed in Google Secret Manager with audit logging.
• Passwords: hashed with bcrypt before storage; we never store plaintext passwords.
• API keys: stored as SHA-256 hashes; the plaintext key is shown to the user once at creation and cannot be retrieved afterwards.

3. Access Control

• Principle of least privilege: production access is limited to the smallest set of personnel necessary to operate the Services.
• MFA required for all administrative and infrastructure accounts.
• Audit logging of administrative access, data exports, and privileged actions.
• Role-based access control in our internal admin tooling.

4. Application Security

• Input validation at every API boundary.
• Rate limiting on authenticated and unauthenticated endpoints to mitigate abuse.
• Automated PII redaction in application logs and crash reports.
• Dependency monitoring with automated alerts on known-vulnerable packages, plus regular upgrades.
• Static analysis (linting, type checking) enforced in CI before merge.

5. Operational Security

• Backups: automated daily backups of customer data with point-in-time recovery; tested periodically.
• Monitoring: 24/7 automated monitoring of error rates, latency, and security signals; on-call rotation for critical incidents.
• Change management: production changes go through pull request review and pass automated tests before deployment.
• Vendor due diligence: every sub-processor (see /sub-processors) is reviewed for security posture before onboarding.

6. Incident Response

We maintain an incident response procedure consistent with the Florida Information Protection Act (FIPA) and applicable federal and state breach notification laws. In the event of a security incident affecting personal information:

1. We contain and remediate the incident
2. We assess scope and impact
3. We notify affected users and applicable regulators within the time frames required by FIPA and any other applicable law
4. We publish a post-incident summary where appropriate

7. Responsible Disclosure

If you believe you have found a security vulnerability in the Services, please report it to hello@beeping.io with the subject line "Security Disclosure."

We commit to:

• Acknowledge receipt within 3 business days
• Investigate and respond with a fix or mitigation timeline
• Credit responsible disclosures publicly with your permission
• Not pursue legal action against good-faith security research that complies with this disclosure process

Please:

• Give us a reasonable time to respond before publicly disclosing
• Do not access, modify, or delete data belonging to other users
• Do not perform denial-of-service testing against production
• Do not engage in social engineering of Beeping personnel

8. Bug Bounty

We do not currently run a paid bug bounty program. We will publish updates to this page if that changes.

9. Compliance

For details about how we handle personal information (including data retention, your rights, and breach notification), see our Privacy Policy. For the list of vendors we use to operate the Services, see /sub-processors.

10. Contact

• Security disclosures: hello@beeping.io (subject: "Security Disclosure")
• General privacy questions: hello@beeping.io

---

Last updated: May 9, 2026