ULTRARIA
BETA — Everything is free during the beta. Real customers, real data, no charges until full launch.BETA — Everything is free during the beta. Real customers, real data, no charges until full launch.BETA — Everything is free during the beta. Real customers, real data, no charges until full launch.BETA — Everything is free during the beta. Real customers, real data, no charges until full launch.BETA — Everything is free during the beta. Real customers, real data, no charges until full launch.BETA — Everything is free during the beta. Real customers, real data, no charges until full launch.
e0cb4c0

Security

Built for federal contractors. Secured accordingly.

We don't claim certifications we don't have. We do follow the practices that make security certifications possible to pursue, and we publish them so you can compare.

Encryption everywhere

All traffic to and from Ultraria is TLS 1.2+ (HTTPS only; HTTP redirects to HTTPS). Customer data is encrypted at rest using AES-256. Secrets and API keys are stored in environment-isolated secret managers, never checked into source control.

Minimal data collection

We collect only what we need to deliver the digest: your email, your filter configuration, a per-customer dedup record, and Stripe billing identifiers. We don't store credit card numbers (Stripe holds those) and we don't track you across the web.

Passwordless authentication

The dashboard uses magic-link email authentication. There are no passwords to leak, phish, or reuse. Sessions are short-lived JWTs signed with rotating keys; you can sign out across all devices from your account page.

Audit logging

Authentication events, account changes, billing events, and data exports are logged immutably. Customers can request an export of their own audit log at any time.

Incident response

We have a documented incident response plan covering detection, containment, communication, and post-mortem. In the event of a confirmed breach affecting personal data, we will notify affected customers without undue delay (within 72 hours of confirmation as a baseline).

Backups and recovery

The customer database is backed up nightly to encrypted storage in a separate region. We test restore procedures quarterly. RPO target: 24 hours. RTO target: 8 hours.

Infrastructure

The Ultraria web app is hosted on Cloudflare Pages (US-based edge with global delivery). The API and digest worker are hosted on Railway (US-East-1). The customer database is PostgreSQL on Railway, with daily encrypted snapshots to a separate region. All inter-service traffic uses TLS.

Vendors

Our material subprocessors:

  • Stripe — payment processing (PCI DSS Level 1)
  • Cloudflare Pages — frontend hosting (SOC 2 Type II, ISO 27001)
  • Railway — API and database hosting (SOC 2 Type II)
  • Resend — outbound transactional + digest email delivery (SOC 2 Type II)
  • SAM.gov — source data, public API, no PII shared

Reporting a vulnerability

If you've found a security issue, please email security@ultraria.com with reproduction steps and impact details. We commit to a first response within two business days. We don't operate a paid bug bounty yet, but we publicly thank researchers who responsibly disclose serious issues, and we will provide a small token of appreciation for valid high-impact findings.

What we don't claim

We are not currently SOC 2, ISO 27001, FedRAMP, or HIPAA certified. We don't process classified data. If you require a certified vendor for this category of service, the established enterprise contracting platforms are the right choice. We'll get there as the business grows.