Security & Compliance
Your customer data is protected by industry-standard encryption, access controls, and audit logging.
Encrypted Stripe Key Storage
Stripe API keys are encrypted at rest using AES-256-GCM with a 32-byte key. Raw keys are never stored in plaintext.
No Raw Card Data
We never store raw payment card data. All payment processing flows through Stripe's PCI-compliant infrastructure.
Row-Level Security
Every database table enforces Row-Level Security (RLS) policies. Users can only access their own data.
Rate Limiting
All API endpoints are rate-limited with sliding window algorithms. Three tiers: strict (20/min), default (60/min), relaxed (200/min).
CSRF Protection
All state-changing requests are validated against Origin and Referer headers to prevent cross-site request forgery.
HSTS with Preload
HTTP Strict Transport Security is enabled with a 2-year max-age and preload directive.
Audit Logging (Enterprise)
Enterprise plan includes comprehensive audit logging of all data mutations - who did what, when, from where.
Structured Error Handling
All API routes use structured error responses. Internal error details are never exposed to clients.
Need more details?
Enterprise customers receive a detailed security questionnaire response and can request a SOC 2 readiness assessment.
Get Enterprise