Echo is a cloud-based platform built on a secure, fully managed infrastructure. Although we’re a small, fast-growing startup, we prioritise data protection and follow industry best practices appropriate to our current scale. Below is an overview of our security posture and processes.
1. Security Governance and Policies
1.1 Do you have a documented information security policy reviewed at least annually?
Currently, we do not have a formal, fully documented information security policy. As a small startup, we address data handling, employee access, and incident response on an as-needed basis. We plan to develop a more comprehensive policy and schedule regular reviews once our team and customer base grow.
1.2 Do you have a designated security officer?
Yes. One of our co-founders oversees information security, ensuring that Echo remains up to date.
1.3 Do you have a formal risk management program?
We follow an informal but deliberate process to identify, discuss, and mitigate risks as part of regular team reviews. We plan to adopt a more structured framework (e.g., NIST or ISO 27001) as we scale.
1.4 Do you conduct security awareness training?
We discuss security best practices internally, including phishing prevention and credential handling. We intend to formalise training as the team grows.
1.5 Do you have background checks for employees with access to sensitive data?
We’re a small, tightly knit team. As we expand, we will implement standard background check processes for new hires.
1.6 Do you comply with industry-specific security standards (ISO, SOC 2, PCI, HIPAA)?
We don't currently hold any certificates. As we grow and our customers’ needs evolve, we plan to work toward relevant certifications (e.g., SOC 2 / ISO 27001). However we do meet GDPR standards and are pen tested.
1.7 Do you have a policy regarding third-party access to your systems?
We currently work with external services (e.g., Stripe, OpenAI) via secure API integrations. These providers do not have direct access to our infrastructure; instead, our application communicates with them through access tokens or similar authentication methods. Given our small size, we have not yet formalised a third-party access policy. If in the future we grant direct access to vendors or contractors, we intend to implement a written policy governing how permissions are granted, monitored, and revoked.
1.8 Do you have a data retention and disposal policy?
We do not have a fully formalised policy yet; however, we do store data in secure AWS S3 buckets located in the EU to align with GDPR requirements. We periodically review our stored data, removing or anonymising anything that’s no longer necessary for operational or legal purposes. As our business grows, we plan to implement a more structured retention and disposal policy, including defined timelines and automated data purges.
2. Secure Development Practices
2.1 Do you have a Secure Software Development Lifecycle (SSDLC)?
We do not currently follow a fully formalised SSDLC. However, we integrate security best practices into our development workflow, including secure coding practices, peer code reviews, and dependency scanning. We are continuously refining our approach and plan to implement more structured security processes, such as automated vulnerability testing and security reviews, as we scale.
2.2 Dynamic application security testing (DAST)?
Currently, we run basic tests and manual QA. We expect to adopt a dedicated DAST solution as our product matures.
2.3 Do you conduct penetration testing?
We conduct pen tests annually (at a minimum) following the comprehensive OWASP WSTG.
2.4 Vulnerability management process?
We use automated code testing, vulnerability testing (including OWASP Top 10), and continuous monitoring technologies.
2.5 Secrets management?
We store secrets in secure environment variables on our managed cloud platform. We plan to adopt a dedicated secrets manager (e.g., AWS Parameter Store) as needed.
3. Data Security and Privacy
3.1 How do you protect data at rest and in transit?
All traffic is encrypted (TLS 1.2+). Data at rest is encrypted using industry-standard algorithms (e.g., AES-256) in our hosting environment.
3.2 Where is data stored and processed?
In a secure, fully managed EU cloud data center with enterprise-level physical and network security.
3.3 Do you have a data breach notification policy?
We do. If a breach is detected, we will promptly notify affected customers and follow applicable regulations.
3.4 How do you handle Data Subject Access Requests (DSARs)?
We handle DSARs on a case-by-case basis, verifying identity and providing or deleting data as needed.
3.5 How do you ensure only authorized personnel can access data?
We enforce strict access controls (role-based privileges, MFA) wherever possible.
3.6 What customer data do you process?
Echo primarily processes user account information (e.g., email addresses) and usage metadata to improve the platform experience.
Payments & Billing: We do not store or process payment information directly. All transactions are securely handled by Stripe, which is PCI-DSS compliant.
Email & Calendar Access: If users connect their email or calendar, we access data strictly as needed for our features (e.g., AI-generated meeting summaries). We do not store emails or calendar data beyond what is required to provide our service.
No Sensitive Personal Data: Echo does not process credit card details, health records, or other highly sensitive personal data.
4. Infrastructure Security
4.1 Is your infrastructure on-premises or cloud-hosted?
We rely on a secure, fully managed cloud platform to minimise operational overhead and leverage enterprise-grade infrastructure.
4.2 Which cloud provider(s)?
Our platform runs on AWS which is a major, globally recognised provider with multiple certifications (e.g., ISO 27001, SOC 2).
4.3 Do you have a firewall for your network perimeter?
Yes. Echo benefits from Cloudflare’s enterprise-grade firewall and security protection.
This includes:
DDoS Mitigation – Protects against large-scale attacks.
Web Application Firewall (WAF) – Blocks malicious traffic and prevents exploits.
Bot Filtering & Traffic Inspection – Ensures only legitimate requests reach our platform.
Additionally, our hosting environment (AWS) includes network segmentation and security rules to prevent unauthorised access.
4.4 Vulnerability management for infrastructure?
Our infrastructure benefits from Bubble.io's managed hosting, which runs on AWS and Cloudflare. This means that OS- and network-level patches, security updates, and infrastructure monitoring are handled by Bubble and its cloud providers.
Additionally, Bubble undergoes regular security testing and third-party penetration testing, ensuring vulnerabilities are identified and mitigated proactively. As an application layer, we also monitor for relevant security updates and apply necessary updates to our app stack as required.
4.6 Regular security audits of infrastructure?
Yes. Our hosting provider undergoes independent third-party security audits, including SOC 2 Type II and ISO 27001 certifications. These audits ensure that infrastructure security, data protection, and compliance measures are continuously maintained.
4.7 Do you monitor systems and applications for security events?
Yes. We use built-in monitoring tools and logs to detect unusual activity. Alerts are reviewed immediately.
5. Incident Response
5.1 Documented incident response plan?
We have a basic checklist for security and operational incidents, and we’re enhancing it as we grow.
5.2 Dedicated incident response team?
Our co-founders and lead developer share responsibility for incident response, with escalation paths if needed.
5.3 How do you detect and respond to security incidents?
We monitor logs and alerts, investigate any anomalies, and take prompt action to contain and remediate threats.
5.4 Customer notification after an incident?
We will notify any impacted clients promptly via email, detailing the scope and steps taken to resolve the issue.
5.5 Do you run incident response drills?
We do informal tabletop exercises, and plan to formalise drills as our team expands.
5.6 Post-incident analysis?
We conduct a postmortem review after any critical incident to identify root causes and prevent recurrences.
6. Authentication and Access Control
6.1 Do you enforce multi-factor authentication (MFA)?
Yes. Our team uses MFA for admin access to the cloud environment and code repositories.
6.2 Password policy?
We use strong password requirements and encourage team members to use password managers. We plan to formalise an official policy soon.
6.3 User account management?
Accounts are created or removed manually. With a small team, this is straightforward. As we grow, we’ll adopt an identity management solution.
6.4 Do you use role-based access control (RBAC)?
Yes. We provision the minimal privileges needed based on team roles.
6.5 Auditing user access?
Our platform logs user activities, which are stored for a limited period. We review these logs if suspicious activity is detected.
7. Physical Security
7.1 Physical security measures in place?
All data resides in certified, professionally managed data centres. Our small office space uses keycard access, and devices are secured when not in use.
7.2 Procedures for facility access?
Currently, only core team members have office access, and we follow a clean-desk approach.
8. Legal and Regulatory Compliance
8.1 Awareness of legal requirements (GDPR, CCPA, etc.)?
We track relevant data protection laws and ensure we handle user data responsibly. As our customer base grows, we’ll evolve our compliance measures.
8.2 Process for staying up-to-date with regulations?
We monitor industry news, official updates, and consult legal advisors as needed.
9. Insurance
9.1 Do you carry cybersecurity insurance?
Not at this time. We plan to evaluate cybersecurity insurance once our exposure grows and we handle more sensitive data.
10. Additional Information
10.1 Notable security measures
End-to-end encryption of data (AES-256 & TLS 1.2+).
Automated backups and multi-region deployment.
Cloudflare DDoS Protection & Web Firewall – Protects against cyber threats and malicious traffic.
10.2 Further documentation/certifications
Echo does not currently hold independent security certifications. However, our hosting parties & any external parties do hold independent security certifications. As we scale, we are assessing suitable partners to enable us to hold SOC 2 & ISO 27001 certificates.
10.3 Biggest security challenges
Balancing rapid product development with the resources needed to implement full-scale security controls.
10.4 Future plans
Expand formal policies (incident response, risk management).
Explore third-party penetration testing.
Pursue relevant compliance frameworks as usage and data volume grow.
Declaration
We certify that the information provided here is accurate to the best of our knowledge and will be updated as our security posture evolves.