SpartanOS

Security

Effective May 2, 2026

SpartanOS holds the contact records, policy data, and conversations that run an insurance agency. We treat that data the way a bank treats yours. This page explains what we do and what you control.

Encryption

  • In transit: all traffic terminates at TLS 1.3 (Vercel edge) before it reaches our application. HTTP requests are upgraded automatically and HSTS is enforced.
  • At rest: the production database (Postgres on Neon) is encrypted at rest with AES-256. File uploads, message content, and audit logs sit on the same encrypted storage.
  • Field-level: sensitive fields (SSN, Twilio auth tokens, Google OAuth refresh tokens) are encrypted at the application layer with AES-256-GCM before they ever hit the database.

Tenant isolation

SpartanOS is multi-tenant. Every agency receives its own logical partition. Every server-side query is scoped by agencyId derived from the authenticated session — never from client input — so one agency cannot read or write another agency's records, even by tampering with API parameters.

Authentication & access control

  • Passwords are hashed with bcrypt (cost 12). Plaintext passwords are never stored or logged.
  • Optional two-factor authentication (TOTP) for any user. Owners can require it agency-wide.
  • Account lockout after 10 failed sign-ins (15-minute hold) to defeat credential-stuffing attacks.
  • Force-logout-everywhere: changing your password invalidates every active session immediately.
  • Role-based access (Owner / Admin / Agent) controls who can change billing, invite users, or export data.

Twilio sub-account isolation

Each agency that connects messaging gets its own Twilio sub-account. Numbers, conversations, and billable usage are scoped to that sub-account — neither SpartanOS staff nor other tenants can read your SMS history.

Audit logs

Every authentication event, contact import, policy change, message send, and admin action writes an immutable audit-log entry visible to the agency owner under Audit Log. Logs are retained for the life of the agency and exportable on request.

Application & infrastructure hardening

  • Strict Content Security Policy blocks injected scripts and pixel-tracker exfiltration.
  • HSTS preload, X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff, and a tight Permissions-Policy.
  • Webhook signature verification on every Twilio, Stripe, and Vapi callback — unsigned webhooks are rejected.
  • Per-user and per-IP rate limits in front of authentication, AI, and billing endpoints.
  • Application errors are scrubbed of PII before being shipped to our error tracker.

Compliance

  • TCPA: outbound SMS honors STOP / HELP / START keywords automatically, enforces 8AM–9PM quiet hours by contact-local time, captures opt-in consent at collection, and blocks sends to unsubscribed numbers at the API layer.
  • State licensing: producers can attach license numbers and states; outbound activity in unlicensed states surfaces a warning before send.
  • NAIC Model 668 / state insurance privacy laws: data access logging, breach-notification readiness, and customer-data export on request.
  • GDPR-style controls for any EU contact records: export, rectify, and delete on request via the agency owner.

Backups & continuity

The production database has continuous WAL backups with point-in-time recovery. Recovery objectives: RPO ≤ 1 hour, RTO ≤ 4 hours. Backups are stored encrypted in a separate region from the primary.

Sub-processors

We rely on a small set of vetted vendors (Vercel, Neon, Twilio, Stripe, Anthropic, Resend, Sentry, Upstash, Google Workspace OAuth). Each processes data under a signed Data Processing Agreement. The full list and what each one handles lives at /subprocessors.

Compliance roadmap

We treat compliance as engineering, not theater. Today the platform meets the substantive controls expected of a SOC 2 Type 1 audit (encryption, access management, monitoring, change management, incident response, vendor management). Our roadmap:

  • SOC 2 Type 1 — readiness assessment in progress; targeting initial report within 6 months.
  • SOC 2 Type 2 — observation window opens immediately after Type 1.
  • HIPAA BAA — available on request for agencies handling protected health information in policy notes.
  • State NAIC Insurance Data Security Model Law — documented program already in place.

Data Processing Agreement

Need a signed DPA? Download our template here, mark it up if you like, and email legal@spartan-os.com for signature. Standard turnaround is 1–2 business days. The DPA incorporates the EU Standard Contractual Clauses by reference for any EEA / UK / Swiss data transfer.

Reporting a vulnerability

Security issues: security@spartan-os.com. We acknowledge within one business day. Please don't test against production tenants you don't own — we'll spin you up a sandbox.

What you control

  • Enable 2FA on your account in Settings → Security.
  • Require 2FA for everyone in your agency (owners only).
  • Review and revoke other active sessions in Settings → Sessions.
  • Export your full agency data, or request deletion, at any time.
PrivacyTermsSecuritySub-processorsStatusSign in© 2026 SpartanOS.