Security

Your data security is our top priority. Here's how we protect it.

Encryption

All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3. Database connections are encrypted end-to-end. We never collect payment information, so there are no card numbers or payment tokens to protect in the first place.

Infrastructure

  • Hosted on cloud infrastructure with SOC 2 Type II certified providers (Vercel and Supabase)
  • Managed Postgres with row-level security enforced on every table
  • DDoS protection and Web Application Firewall (WAF) at the edge
  • Export all of your data to CSV or PDF at any time

Access Control

Row-level security ensures your data is completely isolated from other users at the database level. All authentication tokens are short-lived and automatically rotated.

Authentication

  • Secure password hashing handled by Supabase Auth
  • Session management with automatic expiration
  • Brute-force protection with rate limiting

Compliance

  • GDPR-aligned — full data export and deletion rights
  • CCPA-aligned — California consumer privacy rights

Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly via the contact page. We take all reports seriously and respond as quickly as possible, typically within 48 hours. We do not pursue legal action against researchers who report vulnerabilities in good faith.

Questions

For security-related questions, reach out via the contact page.