Security

Security is a feature, not a checkbox.

Here's exactly what we do to keep your data and your customers' data safe.

🔒

Encryption everywhere

TLS 1.3 for every connection. AES-256 at rest in MongoDB Atlas. Passwords bcrypt-hashed with cost factor 10. No plaintext secrets in logs.

🔑

Authentication

JWT tokens (HS256-pinned), short-lived sessions, optional TOTP 2FA for super admins. Failed-login rate limiting at 10/minute per IP.

🛡️

Authorization

Role-based access control on every API route. 35-permission RBAC for team accounts. Server-side enforcement — no trust in the client.

🗄️

Database

MongoDB Atlas with IP allowlist (only our VPS can connect). Daily automated snapshots, 7-day retention. Point-in-time recovery available.

📋

Audit logging

Every super-admin action is logged with actor, timestamp, target, before/after state. Tamper-evident. Exportable to CSV.

🚨

Incident response

Breach notification within 72 hours to affected users. Public status page for service-wide incidents. Root-cause analysis published.

🔍

Responsible disclosure

Found a vulnerability? Email [email protected]. We respond within 24 hours. No legal action against good-faith researchers.

🧪

Code security

Internal security audits before each major release. Input validation, output escaping, parameterized queries, CSRF protection on every form.

Compliance roadmap

2026 Q3
Internal SOC 2 readiness assessment
2027 Q2
SOC 2 Type I audit
2027 Q4
GDPR Article 30 records of processing published
2028
SOC 2 Type II + ISO 27001 evaluation

Report a security issue

Disclose privately first. We respond within 24 hours and credit researchers publicly (with your consent).

[email protected]