Security

Last updated April 27, 2026

The Bird Bath Terminal is operated by First 100 Consulting LLC and is built around a small set of explicit security controls. This page documents how we protect customer data and the dataset itself. If you need a deeper review for vendor onboarding or a Data Processing Agreement, email ryan@first100.io.

Data protection

Encryption in transit

All traffic to the Terminal is TLS 1.2+ via Cloudflare. HTTP requests redirect to HTTPS at the edge.

Encryption at rest

The Postgres database (account data, sessions, audit logs) and the SQLite practice database both reside on Render-managed disks with full-disk encryption. Database backups are encrypted.

Password handling

Passwords are stored as bcrypt hashes with per-user salts. Plain-text passwords never touch our database or logs. Failed login attempts are rate-limited (5 failures in 15 minutes triggers a 30-minute lockout per email and per IP).

Session management

Session cookies are HttpOnly, Secure, SameSite=Lax, and expire after 7 days. Sessions inactive for 60+ days are invalidated server-side. Logout immediately revokes the session token.

Access & abuse controls

Authenticated access only

The Terminal is invite-gated. Every API endpoint (except login, password reset, and the Stripe webhook) requires an authenticated session.

Workspace isolation

Multi-seat Pro and Enterprise workspaces have isolated data: watchlists, chat history, and exports are scoped to the workspace. Cross-workspace access is not possible from any user role.

Rate limiting + bulk-scrape detection

API endpoints enforce per-session request rate limits. A separate detector watches for bulk-extraction patterns (high request volume in a short window) and automatically pauses suspicious sessions pending review.

Per-day record budget

Each session has a daily ceiling on the number of unique practice records returned. The cap scales with subscription tier and is designed to support normal workflows while preventing systematic mirroring of the dataset.

CSRF protection

All state-changing requests (POST/PUT/DELETE) require a CSRF token bound to the session cookie.

Field-tier access controls

Practice fields are classified by sensitivity. Map list endpoints expose only metadata needed to render pins; contact and personal fields are returned only on per-record detail requests, gated by subscription tier, and counted against the daily record budget.

Forensics & audit

Audit logging

Every authenticated API call is recorded with session token, endpoint, IP address, user agent, status code, and timestamp. Logs are retained for 90 days in the live database and longer in encrypted backups.

Watermarked exports

Every CSV export includes a footer identifying the user, timestamp, and license terms. Exports are traceable to the originating session.

Anomaly alerting

Bulk-extraction triggers an immediate email to the operations team and pauses the offending session. Suspicious activity is reviewed within one business day.

Infrastructure

The Terminal is hosted on Render (US-Oregon region) behind Cloudflare. Subscription billing is handled by Stripe; we never receive or store payment-card data. AI features use the Anthropic API with no model training on customer data. The complete subprocessor list is at /subprocessors.

Vulnerability reports

Found a security issue? Email ryan@first100.io with details. We aim to acknowledge reports within one business day. Please do not publicly disclose vulnerabilities before we've had a chance to address them.

Compliance posture

CCPA & US state privacy laws: We honor data-subject requests (access, deletion, correction). Submit at /privacy/request or by email.
SOC 2: The controls listed above are designed against the SOC 2 Trust Services Criteria. Formal Type 1 audit available on request for Enterprise customers.
GDPR: Currently US-only operations. We can sign Standard Contractual Clauses for EU customers on request.
HIPAA: Not a covered entity. The Terminal does not handle protected health information.