Security and Compliance

Last updated: May 10, 2026

This page describes Bridge Town’s current security posture, how to request a Data Processing Agreement (DPA), and our compliance roadmap.

Current Security Posture

Bridge Town is built and operated by Knightian Labs Pte Ltd. We apply security controls at every layer of the stack, and our team reviews these regularly as the platform grows.

Infrastructure and data

  • Cloud provider: Amazon Web Services (us-east-1). All infrastructure runs inside a VPC with private subnets for compute and database tiers.
  • Encryption at rest: PostgreSQL (AWS RDS) and S3 object storage use AES-256 encryption at rest.
  • Encryption in transit: All connections between clients and the platform enforce TLS 1.2 or higher. Internal service-to-service traffic within the VPC uses TLS where applicable.
  • Database tenant isolation: PostgreSQL Row-Level Security (RLS) enforces strict per-tenant data separation. Every query is automatically scoped to the requesting organisation.
  • Secrets management: Database credentials, API tokens, and service secrets are stored in AWS Secrets Manager. No secrets are committed to source code or included in container images.

Authentication and access

  • Authentication: Auth0 (Okta) handles all user authentication. Multi-factor authentication (MFA) is supported and recommended for team accounts.
  • Token security: OAuth tokens are encrypted with AES-256-GCM before storage. API tokens are stored as argon2id hashes — we cannot recover plaintext tokens.
  • Least privilege: IAM roles are scoped to the minimum permissions required per service. No long-lived root or admin credentials are used in production.

Application security

  • Input validation: All API boundaries use Pydantic models with constrained types.
  • SQL safety: All database queries use parameterised statements. String interpolation into SQL is prohibited by policy and code review.
  • Dependency scanning: Pre-commit hooks and CI pipelines scan for known vulnerabilities in dependencies.
  • Structured logging: Application logs are structured JSON and are never written to contain secrets, tokens, or financial model content.

Certification Roadmap

Bridge Town is an early-stage SaaS. We have not yet achieved formal third-party security certifications, and we will not claim otherwise.

MilestoneStatus
SOC 2 Type IPlanned — not yet in progress
SOC 2 Type IIPlanned — contingent on Type I completion
Penetration test (external)Planned — target before Series A or material enterprise contract
ISO 27001Not yet planned
GDPR Art. 28 DPA templateAvailable on request — see below
CCPA compliancePrivacy controls in place; formal assessment planned

We will update this roadmap as milestones are completed or scheduled. If a specific certification is required for your procurement process before it appears on our roadmap, contact sales@bridgetown.builders.

Data Processing Agreement (DPA)

Enterprise customers and organisations subject to GDPR may require a signed DPA before going live with Bridge Town.

To request a DPA:

  1. Email security@bridgetown.builders with the subject line: DPA Request — [Your Organisation Name].
  2. Include your organisation name, the name and email of the signatory, and your preferred turnaround window.
  3. We will respond within 5 business days with a draft DPA for review.

DPA reviews are handled directly by the Knightian Labs leadership team. We do not use a third-party DPA exchange service at this time.

Security Review Requests

If your organisation requires a security review or security questionnaire before onboarding Bridge Town, we support the following:

  • Security questionnaire: We can complete standard vendor security questionnaires (SIG Lite, CAIQ, or equivalent). Allow 10 business days.
  • Architecture review call: We can arrange a 30-minute call with a technical lead to walk through our security architecture. Request via security@bridgetown.builders.
  • Custom requirements: Contact us if your procurement process requires artefacts not listed here (penetration test attestations, insurance certificates, etc.). We will do our best to accommodate reasonable requests.

Contact: security@bridgetown.builders

Vulnerability Disclosure

If you discover a security vulnerability in Bridge Town, please report it responsibly:

  • Email: security@bridgetown.builders
  • Subject: Security Vulnerability Report
  • Include: Description of the issue, steps to reproduce, and the potential impact.

We aim to acknowledge vulnerability reports within 2 business days and to provide a remediation timeline within 10 business days. We do not operate a formal bug bounty programme at this time, but we welcome responsible disclosure.

Please do not publicly disclose a vulnerability before we have had a reasonable opportunity to investigate and remediate.

Subprocessors

For a full list of third-party services that process data on our behalf — including data categories, regions, and retention schedules — see our Subprocessors page.

Privacy Policy

For information about how we collect, use, and protect personal data, see our Privacy Policy.

Contact

General security enquiries: security@bridgetown.builders

Privacy and data rights: privacy@bridgetown.builders

Enterprise and procurement: sales@bridgetown.builders