01Data residency
US-only primary data stores. All managed services hosting Pallet Solutions data are configured to US regions. No cross-border replication. Backups remain within US regions.
- Hosting: Netlify (static site + serverless functions, US regions).
- Application database: Supabase project PSOMS, US region.
- Vendor and operational records: Airtable, US region.
- Transactional email: Resend, US-based delivery.
02Encryption
- In transit: TLS 1.2 or higher on every public endpoint.
- At rest: AES-256 at rest via managed service providers (Supabase, Airtable, Netlify, Resend).
- Secrets: stored in environment variables on Netlify; no hardcoded credentials in source. Secrets are rotated on personnel changes and on a defined schedule.
03Compliance posture
| Item | Status | Notes |
|---|---|---|
| Mutual NDA | In place | Provided at Enterprise and managed-programs onboarding. Standard mutual terms; redlines welcome. |
| Data Processing Addendum (DPA) | In place | Provided at Enterprise and managed-programs onboarding alongside the NDA. |
| SOC 2 Type I | Targeted H2 2026 | On the roadmap. Not yet attested. We will not represent it as in place until the report is issued. |
| SOC 2 Type II | Targeted post-Type I | Sequenced after Type I; timing depends on Type I completion and operating-period observation window. |
| Security questionnaire turnaround | 5 business days | Standard turnaround for Enterprise prospects. Faster on request when scope warrants. |
04Architectural commitments
- Database isolation between intelligence and operational data. The role that computes PSCI/PSPI has no grants on managed-programs operational data. Information flow is blocked at the role level, not by policy alone. Quarterly grant audit reviewed against documented architecture.
- Row-level security on Supabase tables by default. The anonymous role has no SELECT policies on sensitive tables. Admin queries route through serverless functions with bearer auth, never client-side.
- No PII in PSCI / PSPI / Market Pulse. The intelligence layer is aggregate federal data and B2B identifiers only. Buyer-side benchmarks are anonymized; vendor-side demand signals are anonymized.
- Secrets in environment variables. Every Netlify function reads credentials from
process.env.*. No hardcoded keys in source, ever.
05Vulnerability and incident handling
- Reporting: security@palletsolutionsusa.com routes to operations leadership.
- Acknowledgment SLA: within 1 business day for initial response, with status updates as the issue is investigated.
- Customer notification: in the event of a confirmed material incident affecting customer data, customers are notified within timelines required by applicable law and contract terms.
06Request a copy
Procurement and security teams can request our security packet, mutual NDA, DPA, and the most recent security questionnaire response under NDA. Standard turnaround is 5 business days.
Request security packet →