Security

Hosted on Vercel — Enterprise-grade infrastructure with automatic DDoS protection and edge caching.

Database on Neon — Serverless PostgreSQL with automatic backups, point-in-time recovery, and SOC 2 compliance.

TLS Everywhere — All connections encrypted with TLS 1.3. No unencrypted traffic, ever.

Password Hashing — Passwords hashed with bcrypt (cost factor 12). We never store or can retrieve your plain-text password.

JWT Sessions — Signed, short-lived tokens. No session data stored server-side that could be compromised.

OAuth via Google — Optional Google sign-in through official OAuth 2.0 flow. We never see your Google password.

Rate Limiting — Automatic rate limiting on authentication endpoints to prevent brute-force attacks.

Encryption in Transit — All API calls use HTTPS. Database connections use TLS.

Encryption at Rest — Database encrypted at rest. Sensitive tokens (OAuth) additionally encrypted with AES-256-GCM.

No Plain-Text Secrets — API keys, tokens, and credentials are never logged or exposed in error messages.

PCI Compliant — We never touch credit card data. All payments processed by Stripe (PCI DSS Level 1) or PayPal.

Webhook Verification — All payment webhooks cryptographically verified before processing.

Input Validation — All user inputs validated and sanitized. Protection against SQL injection and XSS attacks.

CSRF Protection — Cross-site request forgery protection on all state-changing operations.

Dependency Scanning — Automated vulnerability scanning of all dependencies.