Security and trust

Estii holds the commercial core of your deals: scope, rates, pricing, and margin. That data is sensitive, and protecting it is part of the product, not a layer bolted on after. This page describes how we run Estii securely and where our compliance work stands today. We would rather tell you what is true now than imply more.

1. Our SOC 2 program

Estii is working toward a SOC 2 report. We have defined our system boundary, run a gap analysis against the Trust Services Criteria, written our policy set, and stood up an evidence pipeline against our actual stack. The first report commits four categories: Security, Availability, Confidentiality, and Processing Integrity. Privacy is documented and deferred; our Privacy Policy and Data Processing Addendum remain the customer-facing privacy artifacts.

We are not SOC 2 certified yet, and we will not say we are until the report is signed. When it is available, customers and prospects under NDA can request it. If you are evaluating Estii and need detail before then, contact us and we will walk you through our controls.

2. Hosting and infrastructure

Estii runs on Cloudflare. The application, API, data stores, and edge all sit on Cloudflare Workers, D1, KV, R2, Durable Objects, and Queues. Cloudflare maintains its own SOC 2 and ISO 27001 attestations, which we review annually as part of our vendor program. The marketing site is served by Vercel. We do not run our own data centres or servers.

3. Encryption

All traffic to and from Estii is encrypted in transit over HTTPS, with a TLS 1.2 minimum. Customer data is encrypted at rest in Cloudflare's storage services. Backups are stored encrypted in the same infrastructure.

4. Authentication and access

Estii uses passwordless authentication: sign-in is by one-time email token or single sign-on through Google or Microsoft. We do not store passwords, which removes a whole class of breach. Sessions are issued as first-party signed tokens.

Internally, administrative access to the systems that run Estii (Cloudflare, GitHub, Vercel, Stripe, Resend, and our staff identity provider) is limited to the founders, with multi-factor authentication enforced. We review who has access on a quarterly cadence and remove access that is no longer needed.

5. Confidentiality and data handling

We classify the data Estii holds and handle each tier accordingly. Customer deal data, structures, pricing, rates, and margins, is treated as Confidential and stays in production. It is not copied into development or test environments except through a controlled, recorded restore. When you delete your account, we delete your spaces and the associated personal data, and that deletion ages out of backups within the retention window.

6. Availability and recovery

Estii backs up production data to Cloudflare R2 on two daily pipelines, retained for 30 days, with tested restore procedures. We target a 24-hour recovery time and a 24-hour recovery point, and we run a restore test on a defined schedule. Service status is published at status.estii.com.

7. Change management

Changes to Estii go through pull requests with required review and automated checks before they reach production. The main branch is protected, and production deploys run through our CI pipeline, so every change is traceable to who made it, what changed, and when.

8. Monitoring and incident response

We have application observability enabled across the production API, and errors are surfaced to the team in real time. We have an incident response process with severity levels and defined responsibilities, and a customer-notification commitment consistent with our DPA. Expanding log retention, alerting, and uptime monitoring is active work under our SOC 2 program, and we would rather name that than overstate it.

9. Subprocessors

Estii relies on a small set of subprocessors to operate the service: Cloudflare (compute, storage, edge, DNS), Vercel (marketing hosting), Stripe (payments), Resend (transactional email), GitHub (source control and CI/CD), and OpenAI (used for AI-assisted features, routed via Cloudflare AI Gateway, not used to train its models). Each is covered by a data processing agreement and reviewed annually. The full list and the details of what each one processes are in our Privacy Policy and DPA.

10. Vendor management

Before we add a subprocessor that touches customer data, we review its security posture and confirm a data processing agreement is in place. We re-review our subprocessors and their SOC 2 or ISO reports at least once a year, and we update our register when our stack changes.

11. Reporting a vulnerability

If you believe you have found a security issue in Estii, please tell us at security@estii.com. We read every report, we will acknowledge it, and we will not pursue action against good-faith research that respects our users' data and does not degrade the service.

12. Contact

For security questions, due-diligence requests, or to ask about our SOC 2 progress, reach us at security@estii.com.

Estii Co Pty Ltd

Sydney, Australia