Security
Security at Postrule
We treat security as a continuous engineering practice, not a checkbox. This page is the short version; the documents below carry the detail procurement readers and security researchers need.
How we operate
Postrule runs on hardened cloud infrastructure with TLS in transit and managed encryption at rest. Build and publish pipelines use modern OIDC-based trusted-publishing with provenance attestations rather than long-lived tokens. Dependency alerts are monitored continuously and high-severity findings are patched same-week. We adhere to GDPR-aligned commitments for breach notification (within 72 hours of discovery) and compelled-disclosure notification (within 24 hours of receipt, where legally permitted).
Where we don't yet hold a third-party attestation (SOC 2, ISO 27001, HIPAA), we say so plainly. Roadmap targets and the current status of any specific compliance question are available on request to licensing@b-treeventures.com.
Documents
For customers whose procurement process needs more than this one-pager:
- Data Processing Addendum (template) — GDPR Article 28
- Sub-processor list — third parties that touch customer data, with prior-notice commitment on additions
- Access + disclosure policy — personnel-access principles, compelled-disclosure SLA, breach SLA, current attestation status
- Telemetry wire specification — exact event format with a programmatic verification recipe
Reporting a vulnerability
Email security@postrule.ai. Please do not file a public GitHub issue. You can expect acknowledgement within 72 hours and a triage decision within five business days. Severity-driven patch timelines and scope details live in SECURITY.md. Anonymous reports are welcome.