Inception Studio

Security

Security at Inception Studio

An overview of how Inception Studio handles the data we collect, and the path for security researchers to report issues.

Data we collect

  • Application data — the information you submit when applying to a cohort, including company details, founder background, and your responses to written prompts.
  • Founder profile data — for accepted founders, the public profile fields surfaced on the founders directory (name, cohort, company, public links). Profile edits and removal go through the contact page.
  • Donation data — if you donate to Inception, your name, email, and the donation record. Processed by a third-party payment provider; Inception does not store card numbers.
  • Newsletter signups — email address only, processed by Inception's newsletter provider once selected. See the privacy policy for the canonical record.

How we protect it

  • All traffic served over HTTPS via Cloudflare.
  • The public site is statically generated — no runtime application server holds user data.
  • Application form submissions are stored in the third-party form provider Inception uses (currently a Tally / Typeform / similar — NEEDS-REVIEW once confirmed) with provider-side encryption at rest.
  • The repository is open source at github.com/gp48maz1/inception_new. The code that handles each surface is auditable.

Third-party processors

  • Hosting: Cloudflare Pages (or equivalent static host).
  • Application intake: NEEDS-REVIEW — confirm the live form provider (Tally, Typeform, Airtable, etc.).
  • Newsletter: NEEDS-REVIEW — confirm provider when Inception's newsletter goes live.
  • Donations: NEEDS-REVIEW — Stripe / Givebutter / etc., per Inception's current 501(c)(3) processor.

Responsible disclosure

Found a vulnerability? Email security@inceptionstudio.org with reproduction steps and any relevant context. We commit to:

  • Acknowledging receipt within five business days
  • Investigating in good faith and not pursuing legal action against researchers acting in good faith
  • Providing credit where you would like it (and respecting your wish to remain anonymous)

NEEDS-REVIEW: confirm the canonical disclosure email + whether a PGP key should be published here.

Bug bounty

Inception does not currently operate a formal bug bounty. Responsible disclosure via the email above is appreciated and we will recognize researchers publicly where appropriate.

Related