ALL SYSTEMS OPERATIONAL API 99.99%
v4.2 · BUILD 20260527
TRUST · SECURITY

Security at Northern Star.

We treat metadata like the financial record it is. Every system in the suite is built with encryption, access control, and audit logging by default — and the same standards apply whether you're a single creator or an enterprise catalog.

— PRINCIPLES

Five things we do by default.

No feature flag, no enterprise tier, no opt-in. These apply to every account on every plan.

/ 01 — DATA PROTECTION

Encrypt everything, everywhere.

  • TLS 1.3 in transit for all API and dashboard traffic
  • AES-256 encryption at rest for catalog data and correction records
  • Daily encrypted backups with 30-day retention
  • Customer catalog data is never used to train shared models or sold to third parties
/ 02 — INFRASTRUCTURE

Hardened by default.

  • Managed Linux infrastructure with hardened OS configurations
  • Network isolation between sandbox and production environments
  • Automated patching for OS and runtime dependencies
  • Geographically separated backup storage
/ 03 — ACCESS CONTROL

Least privilege, always logged.

  • Least-privilege access for all internal staff
  • Mandatory MFA on every admin account
  • Per-customer API tokens scoped to a system and environment
  • Full audit log of every correction, validation, and access event
/ 04 — INCIDENT RESPONSE

Tested, documented, fast.

  • 24/7 monitoring with automated paging
  • Documented incident response runbook
  • Affected customers notified within 24 hours of any confirmed material incident
  • Post-incident reports published to the Status page
/ 05 — DATA HANDLING

Your data is yours.

  • Export your full dataset at any time, in standard formats
  • Delete on request — corrections, validations, and audit records purged within 30 days of termination
  • Sub-processors listed and updated on request; material changes notified in advance
  • Data residency options available for EU and US customers on Enterprise plans
— COMPLIANCE

Where we stand on certifications.

Honest status — what's done, what's in progress, what's available on request.

In effect

GDPR

EU customer data handled under the GDPR. DPA available on request.

In progress

SOC 2 Type II

Controls implemented; formal audit in planning. Letter of intent available for security reviews.

In effect

HIPAA-aware

MediSMPT and UseMediReady process healthcare data under HIPAA-aware controls. BAA available.

In effect

DPA on request

Standard data processing agreement available for review and signature before contract.

— RESPONSIBLE DISCLOSURE

Found a vulnerability? Tell us first.

We don't run a public bug bounty yet, but every valid report is acknowledged within 48 hours, triaged, and credited (with your permission) in our security log once fixed.

What to include in your report.

Steps to reproduce. A clear path from start to impact. Screenshots and request traces help.

Impact. What you were able to do or access. We triage based on real-world severity, not CVSS in isolation.

Suggested fix (optional). If you see one. Not required.

Please test only against your own account and sandbox environment. Do not access other customers' data. Do not publish before we've confirmed a fix is shipped.

Send reports to
security@northernstarsystems.com
Acknowledged within 48 hours. PGP key available on request. Critical issues paged 24/7.