Ellavator's Trust Center
Welcome!
If you have any questions check out our FAQ at the bottom of the page or contact ella@atomicelevator.com
Privacy PolicyControls
Infrastructure Security
Control
Status
Remote Access MFA Enforced
Access to our core infrastructure on Vercel and Railway is protected by multi-factor authentication (MFA) to ensure only authorized team members can gain access.
Encrypted Connections
All remote access to our production systems, including our databases and backend services, requires an approved, encrypted connection (e.g., HTTPS, SSL/TLS).
Cloud-Native Network Security
We leverage the robust, built-in network security of our cloud providers (Vercel, Railway, Supabase), which are designed to prevent unauthorized access and isolate customer data.
Secrets Management
All API keys, tokens, and sensitive credentials are encrypted and securely stored as environment variables in our hosting platforms. Secrets are never hard-coded or exposed in our repositories.
Organizational Security
Control
Status
Confidentiality Agreements
All employees and contractors are required to sign a confidentiality agreement to protect sensitive company and customer information.
Principle of Least Privilege
We enforce the principle of least privilege for access control. Team members are only granted the minimum level of access necessary to perform their roles, managed via our platforms' RBAC features.
Anti-Malware Technology
We require all team members to utilize modern anti-malware and endpoint security on company-provided or personal devices used for work.
Code of Conduct
We are in the process of formalizing our Code of Conduct for all employees and contractors to ensure a consistent and secure working environment.
Mobile Device Management (MDM)
As our team grows, we plan to implement an MDM solution to centrally manage and secure all mobile devices that access company data.
Product Security
Control
Status
Secure Development Lifecycle
We follow a secure development lifecycle where all code changes are subject to pull request reviews and automated checks before being deployed to production.
Vulnerability & Error Monitoring
We use Sentry for real-time error tracking and receive automated vulnerability alerts from GitHub and Vercel to help us identify and remediate issues quickly.
Penetration Testing
We plan to engage a third-party security firm to perform annual penetration tests on our application and infrastructure to proactively identify vulnerabilities.
Formal Control Assessments
We are working towards establishing a formal process for annual control self-assessments to ensure our security measures remain effective over time.
Data and Privacy
Control
Status
Automated Data Backups
Our database provider, Supabase, performs automated, continuous backups of our production data to ensure it can be recovered in case of an incident.
Customer Data Deletion
When a customer leaves our service, we have processes in place to ensure their data is fully purged and removed from our production systems upon request.
Third-Party Agreements
We have written agreements with all our subprocessors. These agreements include the confidentiality, privacy, and security commitments applicable to each vendor.
Data Classification Policy
We are developing a formal data classification policy to help our team consistently identify and apply the correct level of security to different types of data.
Formal Data Retention Procedures
We plan to establish and document formal procedures to guide the secure retention and disposal of all company and customer data in line with best practices.
Subprocessors
USA
OpenAI
•AI Provider✨ Powers intelligent in-app features
🤖 Assists with data processing
USA
Vercel
•Frontend Hosting🖥️ Hosts our Next.js frontend
⚡ Ensures fast and reliable access globally
USA
Supabase
•Database & Storage🗄️ PostgreSQL database for application data
📁 Securely stores user-uploaded files
USA
WorkOS
•Identity & Access Management🔑 Manages user sign-up and login
🔐 Provides enterprise-grade account security
USA
HubSpot
•Customer Communication💬 Manages customer support requests
📣 Handles marketing communications
IL
Novu
•Notification Infrastructure🚀 Open-source notification workflow engine
🔔 Manage SMS, Email, and Push in one place
EU
ConvertAPI
•File Conversion📄 High-performance document conversion
⚙️ Supports PDF, Word, Excel, and Images
EU
PostHog
•Product OS📈 Product analytics and session recording
🚩 Feature flags and A/B testing suite
US
SendGrid
•Email Delivery📧 Reliable transactional email API
🛠️ Scalable marketing automation tools
US
Stripe
•Payments Infrastructure💳 Global payment processing and billing
🏦 Financial tools for internet business
US/EU
Chargebee (Coming)
•Subscription Management🔄 Automated recurring billing workflows
📈 Subscription analytics and revenue recovery