Security

Encryption

• In Transit: All communications use HTTPS with TLS 1.2+ encryption
• At Rest: Sensitive data is encrypted in our Supabase PostgreSQL database
• Backups: All backups are encrypted and stored securely

Data Storage

Your data is stored in secure, enterprise-grade infrastructure provided by Supabase, with redundancy and automatic backups. Data centers are:

• SOC 2 Type II certified
• ISO 27001 compliant
• Physically secured with multiple layers of protection
• Monitored 24/7 for security incidents

Data Isolation

Each user's data is logically isolated using row-level security policies. You can only access your own data, and our systems enforce strict access controls.

Password Security

• Passwords are hashed using bcrypt with appropriate work factors
• We never store passwords in plain text
• Password reset uses secure, time-limited tokens
• We recommend using strong, unique passwords

Session Management

• Secure, HTTP-only cookies prevent XSS attacks
• Sessions expire after periods of inactivity
• Logout invalidates session tokens immediately

Account Security

• You can review active sessions and revoke access
• Unusual login attempts are flagged for review
• Email notifications for important account changes

Secure Development Practices

• Input Validation: All user input is validated and sanitized
• SQL Injection Prevention: Parameterized queries prevent SQL injection
• XSS Protection: Content Security Policy and output encoding
• CSRF Protection: Anti-CSRF tokens on all state-changing operations
• Dependency Management: Regular updates and vulnerability scanning

Code Security

• TypeScript strict mode for type safety
• ESLint security rules and automated scanning
• Peer code reviews before deployment
• Automated security testing in CI/CD pipeline

We do not store any credit card information on our servers. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. This is the highest level of certification in the payment industry.

• Stripe tokenizes payment methods for secure storage
• Card details are transmitted directly to Stripe, never to our servers
• Strong Customer Authentication (SCA) compliance
• Fraud detection and prevention systems

Hosting and Deployment

• Vercel: Enterprise-grade hosting with DDoS protection and edge network
• Supabase: Managed PostgreSQL with automatic security patches
• Isolation: Each service runs in isolated environments

Network Security

• Firewalls and network segmentation
• DDoS protection at the edge
• Rate limiting to prevent abuse
• Intrusion detection systems

Monitoring and Logging

• 24/7 system monitoring and alerting
• Security event logging and analysis
• Automated anomaly detection
• Incident response procedures

Data Minimization

We collect only the data necessary to provide and improve our service. We do not use third-party advertising or tracking cookies.

Data Retention

• Active account data is retained as long as your account exists
• Deleted account data is purged within 30 days
• Backups are retained for disaster recovery (30-90 days)
• Legal compliance may require longer retention in specific cases

Third-Party Services

We carefully vet all third-party services and ensure they meet our security standards:

• Supabase: Database and authentication (SOC 2, ISO 27001)
• Stripe: Payment processing (PCI DSS Level 1)
• Vercel: Application hosting (SOC 2)

Security is a shared responsibility. You can help protect your account by:

• Using a strong, unique password
• Not sharing your account credentials
• Logging out on shared devices
• Keeping your email account secure
• Reporting suspicious activity immediately
• Keeping your desktop application updated

In the unlikely event of a security incident, we have procedures in place to:

• Detect and contain the incident quickly
• Assess the scope and impact
• Notify affected users promptly
• Remediate vulnerabilities
• Conduct post-incident reviews

We are committed to transparency and will communicate openly about security incidents that may affect you.

We continuously improve our security practices through:

• Regular security assessments and penetration testing
• Staying current with industry best practices
• Monitoring security advisories for our dependencies
• Participating in security communities and forums
• Training our team on security awareness

We appreciate responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to us immediately at mahirabrar.net

• Please provide detailed information to help us reproduce and fix the issue
• Allow us reasonable time to address the issue before public disclosure
• We will acknowledge receipt within 48 hours

We do not currently have a bug bounty program, but we deeply appreciate researchers who help us maintain the security of our platform.

If you have questions about our security practices, please contact us at:

• mahirabrar.net