Security

If you believe you’ve found a vulnerability in any Spike Labs service, please email legal@spikelabsinc.com with a clear description and any reproduction steps. We aim to acknowledge reports within two business days and will keep you updated as we investigate and remediate. Please do not publicly disclose the issue until we’ve had a reasonable opportunity to address it.

We don’t currently run a formal bug bounty program, but we genuinely appreciate good-faith reports and will credit researchers who request it.

Our backend services run on Amazon Web Services (AWS) in U.S. regions. Compute lives in Amazon EKS (managed Kubernetes); managed PostgreSQL is provided by Neon; object storage uses Amazon S3. Customer-facing web properties are hosted on Vercel. Code is hosted on GitHub.

Each of these providers operates under their own audited security programs (SOC 2, ISO 27001, where applicable). We rely on those certifications for the underlying platform controls and layer our application controls on top.

In transit: all traffic to Spike Labs services is served over HTTPS with TLS 1.2 or higher. Internal service-to-service traffic inside our VPC is likewise encrypted.

At rest: databases, object storage, and managed disks (EBS) are encrypted at rest using provider-managed keys (AES-256). Backups inherit the same encryption.

When you connect a third-party service (e.g., Google Calendar) we never see your password. The OAuth dance is orchestrated by Nango, a SOC 2 Type II compliant OAuth provider. Refresh and access tokens are stored by Nango and accessed by our backend via short-lived API credentials issued by AWS Secrets Manager. Spike Labs services never write tokens to our application logs.

You can revoke our access to any connected Google account at any time via Google’s third-party access page or by disconnecting the integration in our application. Disconnecting removes the cached data and the OAuth tokens associated with that connection within 30 days.

End-user authentication is handled by Clerk, a SOC 2 Type II compliant identity provider. Sessions are issued as short-lived JWTs.

Production access for Spike Labs employees is gated through AWS IAM Identity Center with single sign-on and mandatory multi-factor authentication. Access to production systems and customer data is limited to staff who need it for their role. Database and infrastructure activity is logged.

Application secrets (database credentials, third-party API keys, signing keys) are stored in AWS Secrets Manager and injected into running services at boot. Secrets are not checked into source control, and engineers do not have standing access to production secrets.

Customer data is logically separated by tenant identifiers enforced at the database query layer. Backups are taken daily and retained for 30 days. We restore-test backups periodically. We do not export customer data to analytics warehouses, training pipelines, or third-party processors beyond what’s disclosed in our Privacy Policy.

Dependencies are pinned via lockfiles and updated through Dependabot pull requests. We monitor advisories from GitHub’s security alerts on every repository. CI runs on every change before deploy. Container images are pulled from trusted registries (ECR, official Docker Hub publishers) and tagged by digest where practical.

We patch known-critical vulnerabilities as soon as a fix is available. Operating system and runtime base images are rebuilt regularly. We do not currently run a continuous third-party penetration test program; targeted assessments are conducted ad hoc as we scope sensitive features.

We follow an internal incident-response runbook covering detection, containment, eradication, and post-mortem. If an incident affects customer data we will notify affected users and, where required, regulators within applicable timelines (e.g., 72 hours under GDPR). Status updates for active incidents are posted to our status page and via in-app notice.

We aim to be candid about gaps so you can make an informed decision about using our services:

• SOC 2 / ISO 27001: Spike Labs is not currently SOC 2 or ISO 27001 certified. We rely on the audited programs of our infrastructure providers (AWS, Vercel, Nango, Clerk, Neon) for platform controls.
• Bug bounty: we don’t run a formal program with payouts. We do welcome and respond to responsible disclosures.
• Continuous third-party penetration testing: not in place; targeted assessments only.

Spike Labs, Inc.
Email: legal@spikelabsinc.com