Security & Compliance

Your customer data is protected by industry-standard encryption, access controls, and audit logging.

Encrypted Stripe Key Storage

Stripe API keys are encrypted at rest using AES-256-GCM with a 32-byte key. Raw keys are never stored in plaintext.

No Raw Card Data

We never store raw payment card data. All payment processing flows through Stripe's PCI-compliant infrastructure.

Row-Level Security

Every database table enforces Row-Level Security (RLS) policies. Users can only access their own data.

Rate Limiting

All API endpoints are rate-limited with sliding window algorithms. Three tiers: strict (20/min), default (60/min), relaxed (200/min).

CSRF Protection

All state-changing requests are validated against Origin and Referer headers to prevent cross-site request forgery.

HSTS with Preload

HTTP Strict Transport Security is enabled with a 2-year max-age and preload directive.

Audit Logging (Enterprise)

Enterprise plan includes comprehensive audit logging of all data mutations - who did what, when, from where.

Structured Error Handling

All API routes use structured error responses. Internal error details are never exposed to clients.

Need more details?

Enterprise customers receive a detailed security questionnaire response and can request a SOC 2 readiness assessment.

Get Enterprise