The Starr Conspiracy — Trust Portal
The Starr Conspiracy (“TSC”) operates a multi-cloud SaaS architecture using tier-1 managed providers; we operate no on-premise data centers and process no payment-card data. This portal summarizes our security posture and provides the channels through which customer security teams and external researchers can engage with us.
How TSC handles customer data
Standard customer engagements do not require ingesting data from a customer’s enterprise source systems (HR, finance, etc.). Authorized customer users authenticate to the platform and use it as a SaaS application; data within the platform is user-generated work product. This is the load-bearing fact for many of our data-handling answers and is the reason TSC’s exposure to enterprise source-system data is minimized by design.
Architecture & sub-processors
TSC is hosted on a multi-cloud architecture using the following SOC 2 Type II certified providers:
| Sub-processor | Purpose |
|---|---|
| Vercel | Frontend hosting (global edge network) |
| Railway | Backend hosting (US regions) |
| MongoDB Atlas | Database (Dedicated tier, AES-256 at rest) |
| Clerk | Identity & access management (SAML 2.0, SCIM 2.0) |
| Sentry | Application error monitoring |
| OpenAI | Generative AI (LLM, audio transcription) |
| Anthropic | Generative AI (LLM, agentic workflows) |
| GitHub | Source code management & static analysis |
Encryption
- In transit: TLS 1.2+ enforced platform-wide; HSTS header on the frontend; MongoDB Atlas connections require TLS.
- At rest: AES-256 across MongoDB Atlas (Dedicated tier), Vercel, Railway, and Sentry. Customer-Managed Keys (CMK) via AWS KMS available for enterprise customers requiring per-tenant key control.
Authentication & SSO
- SAML 2.0 SSO supported for enterprise customers via Clerk.
- SCIM 2.0 provisioning & deprovisioning supported.
- Identity Providers tested: Okta, Microsoft Entra ID, OneLogin, Google Workspace, and any standards-compliant SAML 2.0 IdP.
Generative AI
- Providers: OpenAI and Anthropic, both at the highest standard commercial tier. Enterprise agreements in process within 90 days, adding custom DPAs and contractual zero-retention beyond the request lifecycle.
- Training: per provider commercial terms, API inputs and outputs are not used to train their models.
- Logging: prompt and response content is not logged or persisted beyond the request lifecycle. Application logs capture event metadata only.
- Model controls: production model identifiers are locked as constants in code; changes follow internal change management.
- Customer disable controls: AI-disabled tenant operation is supported via custom deployment configuration for tenants with policy requirements.
Compliance
- SOC 2 Type II: in process. Type I report targeted Q4 2026; Type II report H2 2027.
- Cyber insurance:active cyber liability and tech E&O policy with Travelers, in continuous force since August 2018. Coverage upgrade to $5M / $5M with $1M social engineering sublimit in process within 30 days.
- PCI DSS: not applicable — TSC does not process, transmit, or store cardholder data.
- Section 2 Secure Networks Act: TSC does not use any equipment or services from listed entities.
Reporting a security issue
If you have discovered a vulnerability or want to engage with TSC’s security team, please review our Vulnerability Disclosure Program for scope, SLAs, and safe-harbor terms. The intake address is security@thestarrconspiracy.com.
Artifacts available on request
- Architecture diagram (data flows, customer boundaries, AI integration)
- SIG Lite questionnaire response
- AI data-handling addendum
- Customer offboarding playbook (deletion sequence, attestation template)
- Sub-processor list (current)
- Cyber insurance Certificate of Insurance
- Provider SOC 2 attestations on file (under NDA)
- Pen test executive summary (when first independent test completes — within 90 days)
Email security@thestarrconspiracy.com with the engagement context to request artifacts.