Skip to main content
BlackSheep.

Security at BlackSheep

We protect your compliance data with enterprise-grade security controls, automated monitoring, and SOC 2-aligned processes.

Encryption Everywhere

  • TLS 1.2+ encryption for all data in transit
  • AES-256 encryption for data at rest
  • Encrypted database connections (SSL required)
  • Secure cookie handling with HttpOnly and Secure flags

Authentication & Access

  • Multi-factor authentication (MFA) support via Clerk
  • Role-based access control (Owner, Admin, Member, Read-Only)
  • 15-minute idle session timeout with automatic sign-out
  • Brute-force protection with tiered rate limiting
  • Bot detection and automated scanner blocking

Infrastructure

  • Hosted on Vercel (SOC 2 Type II certified)
  • Neon PostgreSQL database (SOC 2 Type II certified)
  • Automatic Point-in-Time Recovery (PITR) backups
  • DDoS protection via Cloudflare
  • Strict Content Security Policy (CSP) headers
  • HSTS enforcement with 1-year max-age

Automated Monitoring

  • 7 automated security monitors running continuously
  • Deployment integrity verification against GitHub
  • Content integrity hashing to detect unauthorized changes
  • TLS certificate expiry monitoring
  • DNS record change detection
  • Auth anomaly detection (rate limit spikes, bot spikes)
  • Privilege escalation monitoring
  • Real-time alerting to administrators

Application Security

  • Honeypot paths to detect vulnerability scanners
  • IP-based admin access allowlisting
  • Request body size validation
  • Webhook signature verification (Svix/Clerk, Stripe)
  • CSRF protection and X-Frame-Options: DENY
  • Permissions-Policy restricting camera, microphone, geolocation

Compliance & Governance

  • SOC 2 Type II control monitoring with automated checks
  • Platform governance policies reviewed annually
  • Incident response plan with tabletop testing
  • Vendor risk management program
  • Data retention policies with automated enforcement
  • Privacy policy compliant with CCPA/CPRA and 19+ state laws

Data Privacy

  • Customer data is never shared with third parties for marketing
  • Tenant data isolation — organizations cannot access each other's data
  • Data export available at any time
  • Data deletion within 90 days of account termination
  • Cookie-free analytics (Vercel Analytics)
  • Full privacy policy available at /privacy

Responsible Disclosure

If you discover a security vulnerability in BlackSheep, please report it responsibly. We take all security reports seriously and will respond promptly.

Contact: security@goblacksheep.io

Last updated: March 27, 2026