Security is a continuous practice, not a checkbox. This page describes the principles and operational habits we apply — both to w3.style and to the software we build for the people who hire us.
Principles
- Least privilege. Access to systems, code, and credentials is scoped narrowly and reviewed regularly.
- Defense in depth. Multiple independent controls protect each system, rather than relying on a single perimeter.
- Privacy by design. We collect the minimum data necessary, store it for the shortest necessary time, and document what we hold.
- Boring tools. For anything that touches user data, we prefer mature, well-maintained technology over novel solutions.
How we work
- Code review. Changes to production code are reviewed before deployment.
- Automated checks. Linting, type checks, tests, and dependency scanning run on every change in CI.
- Secrets management. Credentials are kept in encrypted secret managers, never in source control.
- Encryption in transit. All public services we deliver use TLS 1.2 or higher by default.
- Backups and recovery. Production data is backed up, and recovery procedures are exercised.
- Patching. Dependencies are updated on a regular schedule, with priority handling for security advisories.
Infrastructure partners
We build on established platforms with mature security postures — Cloudflare, AWS, GitHub, and major managed database providers. Each partner is selected for its compliance certifications (SOC 2, ISO 27001, GDPR) and operational track record.
Reporting a vulnerability
If you believe you have found a security issue in something we operate or have built, please email [email protected] with details — ideally including:
- What you observed, and where
- Steps to reproduce
- The potential impact, as you see it
We respond to credible reports within two business days, work in good faith to verify and remediate, and credit reporters who request it. We do not currently run a paid bug bounty program, but we appreciate responsible disclosure.
Limitations
This page describes our practices. It is not a contractual guarantee. Specific commitments about a particular product, contract, or engagement will be set out in a signed agreement.