Skip to main content
BlackSheep

Security at BlackSheep

How we protect your compliance data. Encryption, automated monitoring, access controls, and SOC 2-aligned processes.

Encryption

  • TLS 1.2+ encryption for all data in transit
  • AES-256 encryption for data at rest
  • Encrypted database connections (SSL required)
  • Secure cookie handling with HttpOnly and Secure flags

Authentication & Access

  • Multi-factor authentication (MFA) support via Clerk
  • Role-based access control (Owner, Admin, Member, Read-Only)
  • 15-minute idle session timeout with automatic sign-out
  • Brute-force protection with tiered rate limiting
  • Bot detection and automated scanner blocking

Infrastructure

  • Hosted on Vercel (SOC 2 Type II certified)
  • Neon PostgreSQL database (SOC 2 Type II certified)
  • Automatic Point-in-Time Recovery (PITR) backups
  • DDoS protection via Cloudflare
  • Strict Content Security Policy (CSP) headers
  • HSTS enforcement with 1-year max-age

Automated Monitoring

  • 7 automated security monitors running continuously
  • Deployment integrity verification against GitHub
  • Content integrity hashing to catch unauthorized changes
  • TLS certificate expiry monitoring
  • DNS record change detection
  • Auth anomaly detection (rate limit spikes, bot spikes)
  • Privilege escalation monitoring
  • Alerts go to administrators in real time

Application Security

  • Honeypot paths to detect vulnerability scanners
  • Admin access restricted by IP allowlist
  • Request body size validation
  • Webhook signature verification (Svix/Clerk, Stripe)
  • CSRF protection and X-Frame-Options: DENY
  • Permissions-Policy restricting camera, microphone, geolocation

Compliance & Governance

  • SOC 2 Type II control monitoring with automated checks
  • Platform governance policies reviewed yearly
  • Incident response plan with tabletop testing
  • Vendor risk management program
  • Data retention policies with automated enforcement
  • Privacy policy covers CCPA/CPRA and 19+ state laws

Data Privacy

  • Customer data is never shared with third parties for marketing
  • Tenant data isolation: organizations cannot access each other's data
  • Data export available at any time
  • Data deletion within 90 days of account termination
  • Cookie-free analytics (Vercel Analytics)
  • Full privacy policy available at /privacy

Responsible Disclosure

Found a security vulnerability? Please report it responsibly. We review every report and will get back to you quickly.

Contact: security@goblacksheep.io

Last updated: March 27, 2026