How Slope protects your data.

Authentication

User auth runs on AWS Cognito (the same primitives Halani and many enterprise SaaS apps use). Password requirements: 8+ chars, upper, lower, digit. Passwords are hashed by Cognito — we never see the plaintext. Sessions are JWT-based with a 60-minute access token and 30-day refresh token.

Forgot-password and email verification flows use Cognito's built-in mechanisms, with email delivery via AWS SES from noreply@slope.to (verified domain, DKIM-signed).

Integrations

• Google (GSC + GA4). We request only read-only scopes (webmasters.readonly,analytics.readonly). We can never delete, update, or send anything via your Google account. OAuth refresh tokens are stored in AWS Secrets Manager (KMS-encrypted at rest, accessed only by the sync workers with explicit IAM grants).
• GitHub. We use the GitHub App pattern, never personal access tokens. We store the installation ID; when we need to act we mint a short-lived installation token (max 1 hour lifetime) signed with our GitHub App's private key. The App's private key lives in AWS Secrets Manager. You can scope which repos the App can see when you install it, and revoke it from your GitHub org settings at any time.
• LLM keys (Anthropic, OpenAI, Perplexity, Gemini). You bring your own keys — we never auto-provision keys on Slope's account that get charged to your bill. Your keys live in AWS Secrets Manager and are read only by the workers that call those APIs.

Infrastructure

• AWS us-east-1. API Gateway → Lambda (FastAPI/Mangum) for the backend. Workers run on Lambda with EventBridge schedules.
• MongoDB Atlas us-east-1. Network-isolated peering, IP-allowlisted access. M0 tier for now (free), scaling to dedicated tiers as load demands.
• AWS Amplify Hosting for the app (app.slope.to) and marketing site (slope.to), behind CloudFront with ACM-issued TLS certificates.
• AWS Secrets Manager for every secret. No secrets in code, no secrets in env-var literals, no secrets in git.
• AWS SES for transactional email. Domain (slope.to) verified with DKIM + SPF + DMARC in monitor mode.

Encryption

• At rest: all data encrypted with AWS-managed KMS keys (MongoDB Atlas, S3, Secrets Manager).
• In transit: TLS 1.2+ everywhere. HSTS enabled on slope.to and app.slope.to.
• Internal calls: Cognito post-confirmation Lambda → backend uses HMAC-signed payloads with an internal shared secret.

Multi-tenancy

Slope is a single Mongo database with every document scoped by organization_id. Every API endpoint takes an org_id, verifies the caller's membership via Cognito sub → user → org_memberships lookup, then queries with the org_id filter. This is a load-bearing security invariant: it's the pattern we test against in the test suite and the one a code reviewer would reject violations of.

Access controls

• Three roles per organization: owner (full control, billing, ownership transfer), admin (manage members + integrations + billing), member (use the app, can't change billing or remove others).
• Ownership transfer requires explicit two-factor confirmation by typing the org slug.
• Members can leave the org at any time but cannot delete others' content; only admin+ can remove members.

Audit log

Every privileged action (invitations, role changes, member removal, integration connect/disconnect, opportunity status changes, bulk operations) writes to an append-only audit log scoped to the organization. Admins on Agency-tier plans can view the log at /audit-log. Audit log entries can't be modified or deleted, even by the actor who created them.

Sub-processors

See the full list on our Privacy Policy. We notify users in-product before adding a new sub-processor with access to your data.

Vulnerability reporting

If you believe you've found a security issue in Slope, please email hello@slope.to with subject "Security". We aim to acknowledge within 48 hours. We don't have a formal bug bounty yet, but we do believe in recognizing good-faith research with public credit (and the occasional Slope swag).

What we don't have yet

Honest list, because it matters more than the things we do have:

• SOC 2 — planned for late 2026. Talk to us about Enterprise if you need a security review now.
• SSO (SAML / OIDC) — Enterprise tier feature, not yet shipped.
• Custom data residency (EU, etc.) — Enterprise feature, not yet shipped.
• Penetration testing report — internal review only so far; external pen-test scheduled for Q3 2026.