Security
Small studio, small surface area, careful defaults. Here's how we actually run things.
Isolated environments
Every paid client gets a dedicated container on infrastructure we operate. No shared databases, credentials, or processes between clients. A compromise of one client's automations can't reach another's.
Hosting
The marketing site runs on Cloudflare Pages with managed TLS and Bot Fight Mode on. Client automations run on DigitalOcean droplets in U.S. data centers with daily snapshots. SSH is key-only with root login disabled, and admin URLs sit behind Cloudflare Access so login pages aren't publicly reachable.
Credentials
Every credential — ours and any you share with us — is stored encrypted in 1Password. Two-factor authentication is on for everything that supports it. Client credentials are scoped to the minimum permissions needed, and when an engagement ends we revoke access and remove them from our systems.
Backups
Daily server snapshots on every droplet, plus version-controlled workflow definitions in private GitHub repos as an independent recovery path.
Monitoring
Each client environment has scheduled health checks. Failures alert us right away. If something does go wrong, we follow a written incident response routine: contain, assess, notify, document.
What we don't claim
We're not SOC 2 or ISO 27001 certified — we don't pretend to be. We'll add formal audits when the size of the business warrants them.
Found a vulnerability?
Email us with the details and we'll acknowledge within two business days. We don't run a paid bug bounty yet, but responsible disclosure is genuinely appreciated.
Contact
Timeback Solutions LLC — Minnesota, USA.