Security

Security posture

This page describes the security architecture of BuildForce deployments in honest, non-overclaim language. We'll update it as our posture matures.

GCP-anchored enterprise infrastructure

Each BuildForce deployment runs on Google Cloud Platform (Cloud Run, Secret Manager, Cloud Storage). Underlying GCP infrastructure is SOC 2 Type II certified. Iron Titan Technologies itself is a pre-SOC 2 company — we rely on our providers' certifications while we build toward our own.

Cloudflare Pro at the edge

All traffic passes through Cloudflare Pro (WAF, Super Bot Fight Mode, DDoS mitigation, HTTPS-only). Origin servers are locked behind Cloudflare — direct internet access to the origin is structurally blocked.

Isolated per-customer deployments

Each customer gets their own GCP project, database, and Cloudflare zone. There is no shared database between customers. A security event in one deployment does not affect others.

Secrets management — no dashboard env vars

All credentials are stored in GCP Secret Manager with per-secret IAM bindings. No credentials live in CI dashboards or .env files. Service accounts use Workload Identity Federation — no long-lived JSON keys are generated.

Audit logging and immutability

Admin actions, auth events, and sensitive data mutations flow to Cloud Logging and a retention-locked Cloud Storage bucket. Records are immutable — even an IAM admin cannot delete them.

Vulnerability disclosure

To report a security issue, email security@irontitantechnologies.com. We acknowledge reports within 48 hours and aim to remediate critical issues within 7 days.