Trust & Security
Security built for the people accountable for delivery
PMOs trust SightLinePM with the signals that show whether their portfolio is actually on track — schedules, risks, financials, and the candid status notes behind them. We treat that data the way a mature security program should: least privilege by default, encrypted end-to-end, monitored continuously, and documented so your InfoSec team can sign off without a 60-question questionnaire. This page is the single source of truth for our controls, posture, and limits — written plainly, with no marketing fog.
Security program & governance
SightLinePM operates a written information security program modeled on the NIST Cybersecurity Framework (CSF 2.0) and the AICPA SOC 2 Trust Services Criteria (Security, Availability, Confidentiality). The program is owned by the Head of Security, reviewed quarterly by leadership, and updated at least annually or after any material change to the product, infrastructure, or threat landscape.
Every employee and long-term contractor completes security and privacy training at hire and annually thereafter, including phishing simulations, secure-coding refreshers, and data handling. Background checks are performed on all personnel with production access, where permitted by law.
Hosting & infrastructure
SightLinePM is hosted on Supabase running on Amazon Web Services (AWS) inus-east-1by default, with EU residency (eu-central-1) available on Enterprise. Edge traffic is fronted by Cloudflare, which terminates TLS, absorbs L3/L4 and L7 DDoS attacks, and applies a managed Web Application Firewall (WAF) ruleset tuned for the OWASP Top 10.
We operate no physical data centers. Physical security, environmental controls, hypervisor isolation, and hardware lifecycle are inherited from AWS's SOC 2 Type II, ISO 27001, and ISO 27017/27018 programs. Production networks are private by default; no database or internal service is exposed to the public internet.
Customer data is logically isolated by tenant. Every row in the multi-tenant Postgres database carries a workspace_idand is protected by Row Level Security (RLS) policies enforced by the database itself — defense that holds even if an application-layer bug tries to query across tenants.
Encryption
In transit
All traffic to SightLinePM is encrypted with TLS 1.2 or higher, with TLS 1.3 preferred. HSTS is enforced (max-age=63072000; includeSubDomains; preload), and we publish a CAA record restricting certificate issuance to approved CAs. Insecure HTTP, SSLv3, TLS 1.0, and TLS 1.1 are disabled at the edge.
At rest
All customer data — Postgres tables, object storage, automated backups, and point-in-time recovery snapshots — is encrypted at rest using AES-256 with keys managed by AWS KMS. Disk-level encryption is enforced by the underlying EBS volumes.
Secrets & keys
Application secrets, OAuth client secrets, and integration tokens are stored in a managed secrets vault, never in source control. Customer-supplied API tokens are encrypted with envelope encryption before persistence and decrypted only at the moment of use inside a memory-only execution context.
Identity & access
Customer authentication
Accounts are protected by email + password with bcrypt-hashed credentials, Google SSO, and (on Enterprise) SAML 2.0 SSO with SCIM provisioning. Passwords are checked against the Have I Been Pwned breach corpus on signup and reset. Multi-factor authentication (TOTP) is available to all users and required by default for workspace administrators.
Authorization & RBAC
Workspaces support Owner, Admin, Editor, and Viewer roles, with granular per-project access. Authorization is enforced server-side at the API and again at the database via Postgres Row Level Security — a deliberate belt-and-suspenders design.
Integration scope (least privilege)
SightLinePM connects to source systems (Jira, Asana, Monday, GitHub, Slack, etc.) using OAuth with the narrowest scopes that produce a useful briefing — read-only wherever the vendor supports it. We never write back to your source systems unless you explicitly trigger an action, and you can revoke any integration in one click.
Internal access
Production access is restricted to a small on-call group, gated by SSO + MFA, scoped just-in-time, time-bound, and logged. Engineers do not access customer content except to resolve a support ticket you opened, and every such access is recorded in an immutable audit log available on request for Enterprise customers.
Session management
Sessions use rotating, signed tokens with short access-token lifetimes and refresh-token rotation. Administrators can force-log-out a user or revoke all sessions for the workspace from the admin console.
Secure software development (SDLC)
All code changes flow through pull requests with mandatory peer review, automated unit and integration tests, dependency vulnerability scanning (SCA), static analysis (SAST), and secret scanning before merge. Production deploys are automated, signed, and traceable to a specific commit and reviewer.
We run third-party penetration tests at least annually and after any material architectural change; a summary letter is available under NDA. We operate a continuous bug bounty channel via security@sightlinepm.com and triage all reports against CVSS v3.1.
Monitoring, logging & threat detection
Application, authentication, and infrastructure events are centralized in a tamper-evident logging pipeline with a minimum 365-day retention. Anomalous authentication patterns, privilege escalations, mass exports, and integration token misuse generate real-time alerts to the on-call security engineer.
Edge and WAF logs feed automated rate-limiting and bot mitigation. Production systems are monitored 24/7 for availability and security events via paging rotations with documented response SLOs.
AI data handling
SightLinePM uses large language models to draft briefings, summarize status notes, and surface risks. Customer data sent to LLM providers is transmitted under zero-retention API agreements: prompts and completions are not used to train provider models and are not retained beyond the time required to return a response.
You can disable AI features per-workspace. Enterprise customers can pin inference to a specific model and region, or bring their own LLM credentials.
Data lifecycle, retention & portability
Backups & recovery
Postgres runs with continuous WAL archiving and point-in-time recovery covering the last 7 days (30 days on Enterprise). Full snapshots are taken daily, encrypted, and retained for 35 days. Recovery procedures are tested at least quarterly. Target RPO ≤ 5 minutes, target RTO ≤ 4 hours.
Export
Workspace admins can export all project, briefing, risk, and resource data as JSON or CSV at any time via the in-app export or our API.
Deletion
On account closure, all customer content is soft-deleted immediately and purged from primary stores within 30 days and from encrypted backups within 90 days, after which it is cryptographically unrecoverable.
Availability & resilience
SightLinePM targets 99.9% monthly uptime for the production application (99.95% on Enterprise SLAs). Infrastructure runs multi-AZ with automated failover for the database tier. We publish real-time status, incident timelines, and post-mortems at status.sightlinepm.com.
Vendor & subprocessor risk management
Every subprocessor is reviewed before onboarding against security posture, certifications, data residency, and contractual safeguards (DPAs, SCCs). Reviews are repeated annually. The current list below is authoritative and updated whenever a subprocessor is added or removed; material changes are announced with at least 30 days' notice via email to workspace administrators.
Compliance Status
| Standard | Status | Notes |
|---|---|---|
| SOC 2 Type II (Infrastructure) | Inherited | Inherited from Supabase / AWS — report available under NDA |
| SOC 2 Type II (SightLinePM application) | In audit prep | Type I targeted Q4 2026, Type II observation window to follow |
| ISO 27001 (Infrastructure) | Inherited | Inherited from Supabase / AWS |
| GDPR | Aligned | DPA + SCCs available; EU data residency on Enterprise |
| CCPA / CPRA | Aligned | Consumer rights workflow operational |
| HIPAA | Not in scope | Do not upload PHI; BAA not offered today |
| PCI DSS | Out of scope | Card data handled exclusively by Stripe (PCI DSS Level 1) |
Need our SOC 2 / ISO inheritance letter, DPA, SCCs, pen-test summary, security questionnaire, or insurance certificates? Email security@sightlinepm.com and we'll turn them around within two business days.
Incident response & breach notification
We operate a documented incident response plan aligned to NIST SP 800-61 with defined severities, on-call rotations, and tabletop exercises at least twice a year. In a confirmed security incident affecting customer data, we will notify affected workspace administrators without undue delay and in any case within 72 hours of confirmed discovery — consistent with GDPR Article 33 — including the nature of the incident, data categories involved, our current containment status, and recommended actions.
Every Sev-1 and Sev-2 incident receives a written post-mortem with root cause analysis and corrective actions. Enterprise customers receive tailored notifications via their named contacts and contractual channels.
Coordinated vulnerability disclosure
We welcome reports from security researchers and treat coordinated disclosure as a partnership. Please email security@sightlinepm.com (PGP key available on request). We commit to:
- Acknowledge your report within 2 business days.
- Provide a triage decision and CVSS scoring within 5 business days.
- Share a remediation timeline within 10 business days.
- Credit you publicly (with your permission) once a fix is shipped.
- Refrain from any legal action against researchers acting in good faith, within the bounds of our safe-harbor policy: no privacy violations, no data destruction, no service degradation, no social engineering of staff.
Subprocessors
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Underlying cloud infrastructure, storage, networking | USA (us-east-1) — EU region available on Enterprise |
| Supabase | Managed Postgres, authentication, object storage, realtime | USA (AWS) |
| Cloudflare | Edge runtime, DDoS protection, WAF, TLS termination | Global edge |
| Anthropic | LLM inference for AI briefings (zero-retention API) | USA |
| OpenAI | Optional LLM inference (zero-retention API, Enterprise tier) | USA |
| Stripe | Subscription billing and payment processing | USA / Global |
| Twilio | Transactional SMS and voice notifications | USA |
| Resend | Transactional email (auth, alerts, receipts) | USA / EU |
| Sentry | Application error monitoring (PII scrubbed) | USA |
| PostHog | Product analytics (cookieless, IP truncated) | USA / EU |
This list is authoritative. Workspace administrators can subscribe to subprocessor change notifications at security@sightlinepm.com.
Responsibilities — yours and ours
Security is a shared model. SightLinePM is responsible for the security of the platform: infrastructure, application code, encryption, monitoring, and the controls described on this page. You are responsible for security in your workspace: provisioning the right people with the right roles, enforcing SSO/MFA, reviewing integration scopes, classifying what you upload, and offboarding users promptly. We give you the controls; you make the policy decisions that fit your organization.
Contact
For security reviews, vendor assessments, DPAs/SCCs, questionnaires, certificates of insurance, or vulnerability reports, contact our security team directly:
- General security inquiries: security@sightlinepm.com
- Vulnerability disclosure: security@sightlinepm.com (PGP available)
- Privacy / data subject requests: privacy@sightlinepm.com
- Trust center & documents: trust@sightlinepm.com
We respond to all security inquiries within two business days, Monday–Friday.
Last updated: June 2026
