Security
Security is a feature, not a checkbox.
Here's exactly what we do to keep your data and your customers' data safe.
Encryption everywhere
TLS 1.3 for every connection. AES-256 at rest in MongoDB Atlas. Passwords bcrypt-hashed with cost factor 10. No plaintext secrets in logs.
Authentication
JWT tokens (HS256-pinned), short-lived sessions, optional TOTP 2FA for super admins. Failed-login rate limiting at 10/minute per IP.
Authorization
Role-based access control on every API route. 35-permission RBAC for team accounts. Server-side enforcement — no trust in the client.
Database
MongoDB Atlas with IP allowlist (only our VPS can connect). Daily automated snapshots, 7-day retention. Point-in-time recovery available.
Audit logging
Every super-admin action is logged with actor, timestamp, target, before/after state. Tamper-evident. Exportable to CSV.
Incident response
Breach notification within 72 hours to affected users. Public status page for service-wide incidents. Root-cause analysis published.
Responsible disclosure
Found a vulnerability? Email [email protected]. We respond within 24 hours. No legal action against good-faith researchers.
Code security
Internal security audits before each major release. Input validation, output escaping, parameterized queries, CSRF protection on every form.
Compliance roadmap
Report a security issue
Disclose privately first. We respond within 24 hours and credit researchers publicly (with your consent).
[email protected]