The Plutobee Enterprise Trust Center.

Source control. Git on GitHub Enterprise or GitLab on customer preference. Branch protection enforced on main with required reviewers, required green CI, required signed commits, dismiss stale reviews on push. No force push, no admin bypass, no exceptions.

Code review. Every change reviewed by a peer. Codeowner approval required for sensitive paths (auth, payment, PHI handlers, IAM policies). Pull requests must include a description, linked ticket, test evidence, and a rollback plan if the change is non-trivial.

Coding standards. Language-specific style guides enforced by linter in CI. ESLint + Prettier for TypeScript. Black + Ruff for Python. gofmt + staticcheck for Go. clippy for Rust. Standards are not aspirational; they are mechanically enforced.

Dependency management. Renovate or Dependabot on every repo. Pinned versions for production deps. SBOM generated in CycloneDX format on every build. License audit catches GPL contamination before merge.

Architectural decision records. ADRs in the repo for non-trivial choices. The decision, the alternatives considered, the consequences, the date. Future engineers (ours or yours) understand why a thing is the way it is.

Documentation as code. README current with the build. API docs generated from source. Runbooks for every alert. Customer-facing changelog for every release.

Test pyramid. Unit tests for logic. Integration tests for system boundaries. Contract tests between services. Component tests for UI behavior. End-to-end for golden paths only. The pyramid is intentional, not accidental.

Coverage gates. 80% line coverage on new code as a hard CI gate. Critical paths (auth, payment, data handling) must hit 95% with mutation score above 70%. Coverage measured per PR diff to prevent slow erosion.

Performance budgets. p50, p95, p99 latencies budgeted before development. Load tests in CI fail the build if budget is breached. Bundle size budgets on client-side. Database query budgets in development.

Accessibility. axe-core in CI for automated. Manual screen-reader sweep before milestone release. WCAG 2.1 AA non-negotiable for customer-facing surfaces.

Security scanning. SAST (Semgrep with custom rules). DAST (OWASP ZAP, Burp on milestones). Container scan (Trivy). Secret scan (gitleaks). Every PR. Every build.

Visual regression. Chromatic or Percy on UI changes. Human approval required for visual diffs.

Mutation testing. Stryker for TypeScript, mutmut for Python on critical paths. Mutation score is a leading indicator of test quality that coverage alone misses.

Access management (AC family). SSO via SAML or OIDC. MFA enforced for all production access. Hardware keys (YubiKey) for admin roles. Role-based access reviewed quarterly. JIT (just-in-time) elevation for break-glass. No shared accounts.

Audit and accountability (AU family). Immutable logs to S3 with object lock. CloudTrail or equivalent for control-plane. Application logs with PII redaction in shipping pipeline. Retention per regulatory requirement (typically 7 years for financial, 6 for HIPAA).

Configuration management (CM family). Infrastructure as code in Terraform. Drift detection nightly. Approved baseline images. No manual production changes outside emergency runbook.

Contingency planning (CP family). RTO 4 hours, RPO 15 minutes for tier-1. Cross-region replication. Quarterly restore drills. Annual full disaster recovery exercise with customer.

Identification and authentication (IA family). Federated identity. Passwordless where possible. WebAuthn for critical services. No password expiry policies (per NIST 800-63B current guidance).

Incident response (IR family). Documented runbook. On-call rotation. Communication tree. Severity matrix. Postmortem template. Customer notification SLAs.

System and information integrity (SI family). Real-time AV/EDR (CrowdStrike or SentinelOne). Vulnerability scanning continuous. Patching SLAs by severity.

T+0 - Detection. Alert fires from observability stack. On-call engineer paged via PagerDuty or Opsgenie. Acknowledgment expected within 5 minutes for P1.

T+5 - Triage. Severity assigned. P1 (production down, data integrity at risk) gets immediate escalation. P2 (degraded service) gets standard response. Status page incident opened.

T+15 - War room. P1 triggers a war-room channel. Incident commander assigned. Communications lead assigned. Customer-side technical contact looped in within 30 minutes.

T+30 - Customer notification. Confirmed material incident triggers customer notification with current state, suspected cause, mitigation in progress, next update timing.

T+60 - Mitigation. Rollback if applicable. Traffic shifting. Database point-in-time restore if data corruption. Customer comms updated hourly minimum.

T+24h - Resolution. Service restored. Status page updated to resolved. Customer comms with summary, root cause indication, next steps.

T+5d - Postmortem. Blameless. Documented timeline, contributing factors, action items with owners and dates. Published internally and to affected customers if requested.

T+30d - Action items closed. Every action item from a postmortem closed within 30 days or escalated. We track close rate as a quality metric.

Sub-processor review. Every sub-processor reviewed annually. SOC 2 reports collected and tracked. New sub-processors require security review before onboarding.

Notice of sub-processor change. 30 days advance written notice for material additions. Customer right of objection per DPA.

Supply chain integrity. SBOM generated per build. Signed container images. Dependency provenance tracked. Sigstore or Notary for image signing on customers who require it.

Open-source license compliance. Automated license scan in CI. Categories blocked at policy level. Customer attribution generated automatically.

Hardware supply chain. Employee laptops MDM-managed. Disk encryption enforced. Lost device wipe. Hardware procurement through approved channels only.

Data classification. Public, internal, confidential, restricted. Each class has a handling matrix: encryption, access, logging, retention, sharing constraints.

Data minimization. We collect what is needed for the engagement. PII minimized at ingress. Synthetic data used in non-production.

Data subject rights. Access, rectification, erasure, portability, restriction, objection. SLAs defined per regulatory regime (typically 30 days for GDPR, 45 for CCPA).

Cross-border transfers. SCCs Module 2 and 3 for EEA to US transfers. UK IDTA addendum for UK. Localization options for residency-strict customers (EU-only, US-only, etc.).

Data retention. Defined per record type and regulatory regime. Deletion is real (not soft-delete) and includes backups within rolling window.

Cookie and tracking. Privacy-first analytics (Plausible) by default. Marketing cookies require explicit opt-in. No third-party trackers without consent.

Right to audit. Enterprise customers have contractual right to audit our security posture annually at customer expense. We support remote audit by default; on-site by arrangement.

Attestations we provide. SOC 2 Type II (in audit, expected Q4 2026). ISO/IEC 27001:2022 (Stage 1 Q3 2026). PCI DSS attestation for in-scope services. HIPAA BAA. Standard SIG Lite, CAIQ Lite, HECVAT Lite responses.

Penetration test reports. Annual external pen-test report (redacted version) available under NDA. Quarterly internal red-team summary available to Enterprise customers.

Customer-side audit support. Your auditor reviewing our controls (sub-processor model) gets dedicated point of contact, evidence collection support, and remediation timeline transparency.