🚀 SecureCheap is live — Start free →
Architecture & Security
Security Practices

Security Practices

Infrastructure security

PracticeImplementation
TLS everywhereTLS 1.3 minimum on all endpoints; HSTS with 1-year max-age
Secrets managementAll secrets stored in HashiCorp Vault with audit logging
Database encryptionAES-256 at rest; TLS in transit between services
Network segmentationDatabase and internal services not publicly reachable
DDoS protectionCloudflare Magic Transit on all public IPs
WAFCloudflare WAF with OWASP Core Rule Set
Vulnerability scanningWeekly automated scans of our own infrastructure

Application security

PracticeImplementation
Input validationAll API inputs validated against strict JSON Schema
SQL injectionParameterized queries / ORM throughout
XSSReact's auto-escaping + strict CSP
CSRFSameSite=Strict cookies + CSRF tokens on mutations
Rate limitingPer-IP and per-account rate limits on all endpoints
AuthenticationArgon2id password hashing; TOTP 2FA available
Session managementShort-lived JWTs (1h) + refresh tokens (30d) with rotation

Credential security

All integration credentials (cloud API keys, webhook URLs, etc.) are:

  1. Encrypted with AES-256-GCM before database write
  2. Never logged (any credential that appears in logs is masked)
  3. Never exposed via API responses (write-only; cannot be retrieved after initial entry)
  4. Scoped to minimum required permissions (we validate and warn if over-privileged)

Access control

  • All customer data is partitioned by workspace_id at the query level
  • Database accounts are role-based with no cross-workspace access possible
  • Production database access requires VPN + hardware MFA
  • All production access is logged and reviewed weekly

Responsible disclosure

We take security reports seriously. If you discover a vulnerability:

Email: [email protected] Response SLA: Within 24 hours Fix SLA: Critical: 24h, High: 7 days, Medium: 30 days

We operate a coordinated disclosure policy:

  1. Report to us first
  2. We acknowledge within 24 hours
  3. We fix and notify you
  4. You can publish details 90 days after our fix

We currently do not operate a paid bug bounty program, but we will publicly acknowledge security researchers who report valid vulnerabilities.

Compliance roadmap

StandardStatus
SOC 2 Type IIn progress (Q2 2025)
SOC 2 Type IIPlanned (Q4 2025)
ISO 27001Planned (2026)
GDPRCompliant
CCPACompliant