Trust Center

Security you can build on.

Backpack Works designs and builds websites, web and mobile apps for B2B companies. This is where you’ll find how we protect the data, code, and infrastructure our clients trust us with — our compliance posture, security practices, and policies.

Contact our security team Browse policies

Marketing site uptime & status

Compliance & certifications

Where we are on each standard. We show real status — not aspirational claims.

SOC 2 Type II

Preparing

We have built our security program around the SOC 2 Trust Services Criteria (Security, Availability, and Confidentiality). We intend to pursue a formal SOC 2 Type II examination as the business grows — an audit is not yet scheduled.

ISO/IEC 27001

Preparing

We are structuring our Information Security Management System (ISMS) in line with ISO/IEC 27001:2022, with certification as a longer-term goal. No audit is currently scheduled.

GDPR

Aligned

We act as a data processor for our clients and follow the EU General Data Protection Regulation, including offering a Data Processing Agreement.

CCPA / CPRA

Aligned

We support our clients' obligations under the California Consumer Privacy Act and California Privacy Rights Act as a service provider.

Documents

Our policies and legal documents are published openly on this site — no access request needed. Audit reports become available as we complete each program.

Document	Category	Access
Security policies (all 20)	Policies	Public
Information Security Policy	Policies	Public
Business Continuity & DR Plan	Policies	Public
Data Processing Agreement (DPA)	Legal	Public
Sub-processor List	Legal	Public
SOC 2 Type II Report	Reports	Planned
Penetration Test Summary	Reports	Planned

Have a question or need something not listed here? Contact our security team.

Our security program

How we protect information across the business. Each area summarizes the controls we have in place today.

Data Protection

Data Security

Client data is encrypted in transit and at rest, segregated by project, and access is limited to the people who need it.

Data Privacy

We act as a processor for our clients and support GDPR, CCPA/CPRA obligations, including DPAs and data subject requests.

Encryption

TLS in transit, AES-256 at rest, and centrally managed keys and secrets.

Access & Identity

Access Control

SSO and MFA on critical systems, role-based least-privilege access, and regular access reviews.

Endpoint Security

Company devices use full-disk encryption, screen-lock, anti-malware, and managed configuration.

Infrastructure

Infrastructure & Hosting

We build on hardened, certified cloud platforms (Vercel, WP Engine, Supabase, Cloudflare) with redundancy designed in.

Network Security

Segmented cloud networks, firewalls, DDoS protection, and no flat trust between environments.

Application

Application Security

Secure coding practices, dependency scanning, code review, and a responsible disclosure channel.

Secure Development

A defined SDLC with peer review, separate environments, and automated checks in CI.

Operations

Incident Response

A documented plan with defined roles, severity levels, and customer notification commitments.

Business Continuity & DR

Backups, redundant cloud infrastructure, and a recovery plan to keep client work moving.

Continuous Monitoring

Logging and alerting across key systems, with reviews of access and activity.

Governance

Risk Management

A recurring risk assessment process that drives our security priorities.

Vendor & Third-Party Risk

We vet sub-processors and vendors and maintain a transparent sub-processor list.

Corporate Security

Security awareness training, background-appropriate hiring, and email & account protection.

AI

AI & Data Handling

Clear guardrails for how we use AI tools so client data stays protected.

Sub-processors

View details →

Vercel

Application hosting & edge delivery

United States

WP Engine

Managed WordPress hosting for client sites

United States

Supabase

Database, authentication & storage backend

United States

Cloudflare

CDN, DNS & DDoS protection

United States (global edge)

HubSpot

CRM & marketing automation

United States

Google Workspace (G Suite)

Email, documents & collaboration

United States

Google Workspace SSO

Identity & single sign-on

United States

Prismic CMS

Headless CMS for client sites

France / EU

Slack

Internal team communication

United States

1Password

Secrets & credential management

Canada

Policies

All 21 policies →

Information Security Policy Risk Management Policy Acceptable Use Policy Access Control Policy AI Usage Policy Password & Authentication Policy Data Classification & Handling Policy Data Retention & Disposal Policy Encryption & Key Management Policy

Questions about our security?

Our team is happy to support your security review, complete a questionnaire, or share gated documentation under NDA.

Contact security team Report a vulnerability