How we run this site securely.

This page describes how 3sixs runs the public marketing website at https://3sixs.com. It is website-security transparency, not a full enterprise trust center. Security commitments for paid client engagements live in the signed agreement for that engagement.

• All visitor traffic is served over HTTPS / TLS.
• The site is hosted on Vercel, with standard provider-supported encryption in transit and at rest for stored data.
• DNS, certificate issuance, and edge delivery are handled by the hosting and platform providers.

• Cloudflare Turnstile filters automated and abusive submissions before the form will accept them.
• Upstash Redis stores short-lived per-IP-plus-email counters to rate limit the contact pipeline.
• A silent honeypot field and Zod input validation run on the server side before any downstream call.
• Per-channel fan-out uses Promise.allSettled so a failing notification channel never silently swallows a real inbound brief.

We use Sentry for error and performance monitoring.

Sentry is configured to remove request bodies, request cookies, auth/cookie headers, selected Sentry user identifiers, known contact-form field keys, and Turnstile tokens from event payloads where supported by our SDK configuration. It also redacts email addresses from error messages. Session Replay is not currently enabled.

We do not intentionally add visitor IP addresses to Sentry event payloads; Sentry may still receive connection metadata as a service provider.

• Least-privilege access on admin and vendor accounts; access is granted only where the role requires it.
• Multi-factor authentication is enabled for admin and vendor accounts where the provider supports it.
• Provider sessions are reviewed when team membership changes.

• Source is reviewed before deployment; we ship from a tracked main branch.
• Dependencies are pinned via the package manager lockfile.
• Routine dependency review and patching for libraries that ship to the public site.

We do not claim a public SOC 2 attestation, ISO 27001 certification, HIPAA compliance, PCI compliance, or any other formal certification for this marketing website. If your engagement requires a formal control framework, talk to us during scoping and we will address it in the signed engagement agreement and any required addenda.

If you believe you have found a security issue on this site or in the contact pipeline, please email hello@3sixs.com with a clear description and reproduction steps. Do not test against other people’s accounts, exfiltrate data, or run denial-of-service tests. Good-faith reports made under this section will not result in legal action from 3sixs.

We do not currently run a paid bug-bounty program. We will acknowledge serious reports and update reporters when a fix ships.

If we become aware of a security incident affecting personal information processed through this site, we will investigate, take reasonable steps to mitigate, and notify affected people and regulators where required by law. Internal escalation is to the founder; we are a small team, not a 24/7 NOC.

Security and disclosure: hello@3sixs.com. For broader privacy context see the privacy notice and subprocessor inventory.