§ STD · 01 OPERATIONAL
SOC 2
SOC 2
Operational security controls — security, availability, confidentiality, and processing integrity of customer data across the platform.
ALIGNED · TYPE II IN ROADMAPBuilt to hold.
Not to impress.
Every transaction, every account, every byte.
Industrial supply is where a wrong part costs a factory £60k an hour. The platform routing those orders needs to not flinch.
This page is the whole security posture — every control we run, the standards we're aligned to, and the gaps we're honest about. No certification-mongering. No theatre. A single page you can print.
Last updated · 20 January 2026 · Rev. 26.04 · Next review · Q2 2026
§ INDEX · CONTROLS 01–06 JUMP TO SECTION
§ 02 · FRAMEWORKS · ALIGNMENT
Standards we align our practices with.
Where the industry converges, so do we. These aren't certifications yet — they're the control frameworks our engineering & ops decisions are measured against internally, with an active roadmap to formal audit.
§ STD · 02 MANAGEMENT
ISO
27001
27001
ISO 27001
International standard for information security management systems — policy, risk assessment, and continuous improvement of controls.
ALIGNED · CERT. IN ROADMAP § STD · 03 DATA · LEGAL
GDPR
GDPR
EU & UK GDPR compliance — lawful basis, data minimisation, subject-access, retention & deletion. Enforced at the platform level, not bolted on.
COMPLIANT · ONGOING!
Transparency note · Certification status
GoFindPart is not currently certified for SOC 2 or ISO 27001. These represent standards we design against and are actively working towards. We would rather tell you the true state of our security posture — and what we're doing to improve it — than sticker-badge a page and hope you don't look closely. Our roadmap to formal audit is below.
§ 03 · CONTROLS · 01–06
The whole schedule.
Six control groups. Every technical measure that runs on the platform, grouped by what it protects. No marketing categories, no fluff — these are the actual controls shipped in the codebase and infrastructure.
§ 01
Authentication & access
LIVE- JWT access tokens15-minute expiry; short-lived by design. No long-lived bearer tokens in circulation.
- HttpOnly refresh cookiesRefresh tokens stored server-side in HttpOnly, SameSite cookies — never in localStorage, never reachable from JS.
- Token rotation + reuse detectionEvery refresh issues a new pair. Any attempted reuse of an old refresh token revokes the whole family and logs the event.
- Single-session enforcementA new login revokes all prior sessions for that account — credential theft is contained to one browser, at most.
CONTROLS · 04 REF · AUTH-SVC
§ 02
API & webhook security
LIVE- CSRF protectionOrigin-header validation on every state-changing request. Cross-site forgeries never reach business logic.
- Stripe webhook signaturesEvery payment event is signature-verified against Stripe's secret before it can mutate an order or trigger a payout.
- Zod schema validationEvery request body is parsed through a typed Zod schema. Unknown fields are stripped; malformed input is rejected at the edge.
- Normalisation & sanitisationInputs are trimmed, normalised, and encoded before they touch the database or rendering layer.
CONTROLS · 04 REF · API-GATEWAY
§ 03
Application security
LIVE- Hardened HTTP headersHSTS, CSP, X-Frame-Options, Referrer-Policy, and friends — applied via Helmet on every response.
- Locked-down CORSCORS allow-list restricted to known GFP frontend origins. Wildcards do not exist in our config.
- DTO response boundaryRaw Prisma models are never serialised to clients — every response goes through a typed DTO that strips internal fields.
- Typed error handlingErrors are mapped to typed, user-safe codes. No stack traces, SQL snippets, or internal paths leaked to clients, ever.
CONTROLS · 04 REF · WEB-EDGE
§ 04
Rate limiting & abuse prevention
LIVE- Tiered request limits100 req / 15 min standard · 10 / 15 min for login · 3 / hr for registration. Graduated by surface area.
- Sensitive-operation limits5 / hr for sensitive account changes · 30 / 15 min for payment endpoints — stricter where the blast radius is larger.
- Per-IP and per-user trackingDual-key counters make shared IPs and compromised accounts independently identifiable.
- Auto cool-downsRepeated failed auth attempts trigger incremental cool-downs — credential-stuffing grinds to a halt automatically.
CONTROLS · 04 REF · RATE-LIMIT-SVC
§ 05
Monitoring & incident response
LIVE- Structured logging (Pino)JSON logs with sensitive fields redacted at the logger layer — secrets, tokens, and PII never leave the request handler in plaintext.
- Sentry error trackingReal-time alerts on runtime errors, with release tracking and user-impact scoring routed to on-call.
- Prometheus metricsInfrastructure and business metrics exported for dashboards & alerting — visible to ops 24/7.
- Admin audit trailEvery staff action against customer data is logged with actor, timestamp, and context. Append-only; human-readable.
CONTROLS · 04 REF · OBSERVABILITY
§ 06
Secure development lifecycle
LIVE- TypeScript strict modeEnforced across the entire codebase. A whole class of bugs never reaches runtime because the compiler rejects them.
- Automated dependency scanningCVE feeds watched continuously; high-severity advisories trigger automated upgrade PRs.
- Pre-commit guardrailsLint, typecheck, unit-test, and build must all pass before a commit lands — CI mirrors the same set on every PR.
- Infrastructure-as-codeEvery Docker, deployment, and infra change lands through reviewed PRs. No hand-edited prod boxes.
CONTROLS · 04 REF · CI-PIPELINE
§ 04 · TRANSPARENCY · ROADMAP What's in place.
What's in place.
What's next.
Security is a schedule, not a sticker. This is what's shipped today versus what we're executing against for the remainder of 2026.
Current status
IN PLACE · TODAY- § 01 HTTPS everywhere · TLS 1.3End-to-end encryption for every request — no HTTP fallback, HSTS preloaded.
- § 02 Automated vulnerability scanningDependency, container, and infrastructure scans running continuously in CI and production.
- § 03 Regular penetration testingThird-party pen tests on a scheduled cadence, with findings tracked to closure publicly-summarised on request.
- § 04 Privacy-by-design architectureData minimisation, PII redaction, and subject-access built into the platform from day one — not retrofitted.
Planned initiatives
ROADMAP · 2026- → 01 SOC 2 Type II certificationFormal audit engagement underway; operational controls mapped; observation window scheduled for H2.
- → 02 Third-party security audit programmeIndependent code & architecture review on a recurring cadence, with summarised reports available to enterprise customers.
- → 03 Bug bounty programmePublic-facing bounty launching for responsible-disclosure researchers — scoped, scored, and paid out through an established platform.
- → 04 ISO 27001 certification pathwayGap analysis complete; ISMS scoping and policy work underway; target audit window 2027 H1.
§ 05 · RESPONSIBLE DISCLOSURE Found something?
Found something?
Tell us first.
If you've discovered a security vulnerability in GoFindPart — or even just something that looks off — we'd rather hear about it directly than read about it. Good-faith disclosure is protected, encouraged, and credited.
- 01 We acknowledge receipt of every report within 48 hours.
- 02 Initial assessment & triage delivered within 5 business days.
- 03 We will not take legal action for good-faith security research, provided it respects our scope & rules of engagement.
- 04 Credit given in our published advisory — or kept confidential, at your preference.
§ 06 · STILL HAVE QUESTIONS
The desk is open.
Procurement, infosec review, vendor questionnaire, pen-test summary request — we respond to all of it. No sales filter, no "schedule a call" wall.