StruckBox
STRUCKBOXREPS BEFORE THE RUN
Why StruckBoxFeaturesPricingGuidesFree ToolsAboutFAQBlog
Sign InStart Free

StruckBox

AI-powered firefighter training. Built by Capt. Brian Williams, KCKFD.

support@struckbox.com

Training

Why StruckBoxTry It FreeFeaturesPricingFree ToolsFree GuidesBlog

Company

AboutFAQRequest DemoSign UpLoginContact

Legal

Terms of ServicePrivacy PolicyRefund Policy

© 2026 StruckBox, LLC. All rights reserved. Security

Not affiliated with any government agency or fire department.

Security & Trust

How We Protect Your Department's Data

StruckBox is a training-first SaaS platform for the fire service. We are not an RMS, ePCR, or system of record — but training records, member rosters, and SOG content still need to be handled carefully. This page lays out exactly what we do, what we use, and who you call when something looks wrong.

TLS in transit

All traffic to and from struckbox.com is encrypted with TLS 1.2+ and HSTS preload. No mixed-content fallbacks.

Encryption at rest

All structured data is stored in our Neon PostgreSQL instance with AES-256 encryption at rest. Backups are encrypted.

Authentication

Authentication is handled by Clerk. Passwords are never stored on our servers. SSO, MFA, and session controls are available on department plans.

Least-privilege access

Admin access to production data is limited to the founder, scoped via short-lived credentials, and logged.

Subprocessors

We use the following infrastructure providers to deliver the platform. Each one has its own SOC 2 or equivalent posture and its own published security documentation. If a department's procurement requires a Data Processing Agreement (DPA), email us at support@struckbox.com and we will route the right DPA from the appropriate provider.

ProviderRoleData received
ClerkAuthentication & user managementEmail, name, authentication tokens
StripePayment processingBilling email, payment method (Stripe-tokenized, never on our servers)
OpenAIVoice transcription (Whisper) & AI featuresAudio recordings (transient, not stored after transcription) and text prompts
AnthropicAI scoring, evaluation, and content generationText prompts and training-related content
NeonPostgreSQL database hosting (US region)All structured platform data: account, training progress, scores, content
VercelApplication hosting & edge CDNPage requests, IP addresses, edge logs
FAL.aiScene image generationText prompts for image generation
ResendTransactional emailEmail address and message content (account, training, notifications)

Clerk

Authentication & user management

Email, name, authentication tokens

Stripe

Payment processing

Billing email, payment method (Stripe-tokenized, never on our servers)

OpenAI

Voice transcription (Whisper) & AI features

Audio recordings (transient, not stored after transcription) and text prompts

Anthropic

AI scoring, evaluation, and content generation

Text prompts and training-related content

Neon

PostgreSQL database hosting (US region)

All structured platform data: account, training progress, scores, content

Vercel

Application hosting & edge CDN

Page requests, IP addresses, edge logs

FAL.ai

Scene image generation

Text prompts for image generation

Resend

Transactional email

Email address and message content (account, training, notifications)

What We Are Not

  • • We are not SOC 2 Type II certified. We are a small team building toward it, and we will publish the cert here when it lands.
  • • We are not a system of record. ISO training hours, drill records, and rosters live on StruckBox while you use the platform, but a department's authoritative training record system (Vector, TargetSolutions, dept's own RMS) remains the legal record.
  • • We do not store credit card numbers. Card data is tokenized by Stripe and never touches our servers.
  • • We do not sell training data. We do not run a third-party advertising network. We use anonymized aggregates for product improvement only.

Reporting a Vulnerability

If you believe you've found a security issue, please email security@struckbox.com with a description and proof of concept. We commit to acknowledging reports within 2 business days and to keeping you informed as we investigate. We do not currently run a paid bug bounty program, but we publicly credit reporters with their consent.

Please give us a reasonable window to remediate before public disclosure. Do not access data that is not yours, do not run destructive tests, and do not pivot from one finding to attack other systems.

Procurement Questions

Need a DPA, MSA, security questionnaire, or insurance certificate for your procurement file? Email support@struckbox.com with your department name and procurement contact. We respond within one business day.

Request a Demo Read Privacy Policy

Last reviewed: June 1, 2026.