Security

In Transit

• TLS 1.3 Encryption: All data transmitted between your browser and our servers is encrypted using the latest TLS 1.3 protocol
• HTTPS Everywhere: We enforce HTTPS on all pages with automatic redirects from HTTP
• Certificate Pinning: Additional protection against man-in-the-middle attacks

At Rest

• AES-256 Encryption: All sensitive data stored in our databases is encrypted using AES-256
• Encrypted Backups: Daily encrypted backups stored in geographically distributed locations
• Key Management: Encryption keys are rotated regularly and stored in hardware security modules (HSMs)

Password Security

• Bcrypt Hashing: Passwords are hashed using bcrypt with a high work factor
• Password Requirements: Minimum 8 characters with complexity requirements
• No Plain-Text Storage: We never store passwords in plain text or reversible formats
• Breach Detection: Integration with HaveIBeenPwned to alert users of compromised passwords

Multi-Factor Authentication (MFA)

• Optional 2FA via authenticator apps (TOTP)
• SMS-based verification available
• Recovery codes for account access
• Required for sensitive operations (payout changes, team transfers)

Session Management

• Secure session tokens with automatic expiration
• Automatic logout after 30 days of inactivity
• Session invalidation on password change
• IP address and device tracking for anomaly detection

Cloud Infrastructure

• SOC 2 Certified Hosting: Infrastructure hosted on SOC 2 Type II certified cloud providers
• DDoS Protection: Cloudflare protection against distributed denial-of-service attacks
• Firewalls: Web application firewall (WAF) and network firewalls on all services
• Isolated Environments: Production, staging, and development environments are completely isolated

Database Security

• Encrypted connections to databases (SSL/TLS)
• Database access restricted to application servers only
• Regular security patches and updates
• Automated daily backups with point-in-time recovery

Network Security

• Private networks with no public internet access
• VPN required for administrative access
• Intrusion detection and prevention systems (IDS/IPS)
• Regular network security audits

We never store your payment information

All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. This is the highest level of payment security certification in the industry.

What This Means

• Credit card numbers never touch our servers
• Stripe handles all PCI compliance requirements
• Tokenized payment methods for recurring transactions
• 3D Secure authentication for high-risk transactions
• Real-time fraud detection and prevention

24/7 Monitoring

• Real-time security event monitoring
• Automated alerts for suspicious activity
• Uptime monitoring with 99.9% SLA
• Performance and error tracking

Incident Response

• Documented incident response plan
• On-call security team 24/7
• Automated containment procedures
• Post-incident reviews and improvements
• User notification within 72 hours of confirmed breaches

Logging & Auditing

• Comprehensive audit logs for all system actions
• Immutable log storage for forensic analysis
• 90-day log retention for security events
• Regular security audits by third-party firms

Secure Development

• Code Reviews: All code reviewed by multiple engineers before deployment
• Automated Testing: Comprehensive security testing in CI/CD pipeline
• Dependency Scanning: Automated scanning for vulnerable dependencies
• Static Analysis: SAST tools to detect security issues in code

Protection Against Common Attacks

• SQL Injection: Parameterized queries and ORM usage
• XSS (Cross-Site Scripting): Input sanitization and Content Security Policy
• CSRF (Cross-Site Request Forgery): Anti-CSRF tokens on all forms
• Clickjacking: X-Frame-Options headers
• Rate Limiting: API and login attempt rate limiting

• Background Checks: All employees undergo background verification
• Security Training: Regular security awareness training for all staff
• Principle of Least Privilege: Employees only have access to data necessary for their role
• Access Reviews: Quarterly review of all access permissions
• Confidentiality Agreements: All employees sign NDAs and security policies

We carefully vet all third-party services:

All vendors sign data processing agreements and undergo security assessments.

• GDPR: EU General Data Protection Regulation compliant
• CCPA: California Consumer Privacy Act compliant
• SOC 2: Working towards SOC 2 Type II certification (in progress)
• PCI-DSS: Compliant through Stripe integration

We take security vulnerabilities seriously and appreciate responsible disclosure.

Help us keep your account secure:

• Use a strong, unique password
• Enable two-factor authentication
• Never share your password or session tokens
• Log out on shared computers
• Keep your email account secure
• Report suspicious activity immediately
• Review account activity regularly

For security-related questions or concerns: