Security

Encryption at rest and in transit

All data stored on Counselr infrastructure is encrypted at rest using AES-256 encryption. This includes databases, file storage, backups, and logs.

Every connection to Counselr is encrypted in transit via TLS 1.3. We enforce HTTPS across all endpoints, including customer websites, the dashboard, and API calls. HSTS headers are set with a one-year max-age to prevent downgrade attacks.

Network & infrastructure security

Cloudflare WAF. All traffic to Counselr passes through Cloudflare's Web Application Firewall, which blocks common attack vectors including SQL injection, XSS, and request smuggling before they reach our servers.

DDoS protection. Cloudflare provides always-on DDoS mitigation at layers 3, 4, and 7. Our infrastructure is designed to absorb volumetric attacks without impacting service availability for legitimate users.

Network isolation. Our Kubernetes clusters use network policies to enforce strict pod-to-pod communication rules. Databases are isolated in private subnets with no direct internet access. All inter-service communication is authenticated and encrypted.

Minimal attack surface. We follow the principle of least privilege across our infrastructure. Services run as non-root users, container images are minimal and scanned for vulnerabilities, and unused ports and protocols are blocked by default.

Penetration testing

We conduct regular penetration tests through independent third-party security firms. Tests cover our application layer, API endpoints, authentication flows, and infrastructure configuration. Findings are triaged within 48 hours, and critical issues are patched within 24 hours of discovery. We perform comprehensive penetration tests at least annually, with targeted assessments conducted quarterly.

Secure development lifecycle

Security is integrated into every phase of our development process:

• All code changes require peer review before merging, with security-sensitive changes requiring review from a security champion
• Automated static analysis (SAST) and dependency scanning run on every pull request via our CI/CD pipeline
• Container images are scanned for known vulnerabilities before deployment and continuously monitored in production
• Secrets are managed through encrypted vaults, never stored in source code or environment variables in plaintext
• We maintain a documented incident response plan with defined roles, escalation paths, and communication templates

Data residency

By default, customer data is stored on servers in the United States. Enterprise customers can request data residency in specific regions to meet regulatory requirements. Website content is served globally through Cloudflare's CDN, with edge caching that does not persist personal data. Contact our enterprise team for data residency options in the EU, Asia-Pacific, or other regions.

Employee security training

All Counselr employees complete security awareness training during onboarding and receive annual refresher training. Engineers receive additional secure coding training specific to their tech stack. We conduct regular phishing simulations and enforce hardware security keys for all internal systems. Access to production systems is restricted to a minimal set of engineers and requires multi-factor authentication with short-lived credentials.

Responsible disclosure program

Security contact

For general security questions, compliance documentation requests, or to report a concern, contact us at security@counselr.xyz. For enterprise security reviews and questionnaire completion, reach out to your account manager or our enterprise team.