Contents
Report a Vulnerability
If you found a security issue, please report it to our security team.
Security & Data Protection
Enterprise-grade security measures to protect your data and API access
API Security
π HTTPS Encryption
All API requests and responses are encrypted using TLS 1.2+ (HTTPS). This ensures that data transmitted between your application and our servers cannot be intercepted or modified.
π API Key Authentication
Every API request requires a valid API key in the Authorization header:
Authorization: Bearer YOUR_API_KEY
API keys are cryptographically secure, unique per customer, and can be regenerated or revoked at any time through your dashboard.
Rate Limiting
API requests are rate-limited to prevent abuse and ensure fair usage. Limits are generous for paid plans and can be adjusted for enterprise customers.
π« No PII Storage
We don't store personally identifiable information (PII) in calculation requests. Only invoice dates, states, and calculation results are storedβno names, addresses, or project details.
π Request Logging
API requests are logged for security monitoring and debugging. Logs include timestamps, API keys (masked), endpoints accessed, and response codes. Logs are retained for 90 days.
Data Protection
πΎ Encrypted Database
All data is stored in a PostgreSQL database hosted on Railway with encryption at rest. Database access is restricted to authorized personnel only.
π Password Security
User passwords are hashed using bcrypt before storage. We never store passwords in plain text and cannot retrieve your password if forgotten (password reset required).
πΏ Regular Backups
Automated daily backups with 30-day retention. Backups are encrypted and stored separately from production data. We can restore data to any point within the retention period.
ποΈ Infrastructure Security
Our infrastructure is hosted on Railway, which provides:
- DDoS protection and mitigation
- Automatic security updates
- Network isolation and firewalls
- 24/7 monitoring and incident response
Payment Security
π³ Stripe PCI Compliance
All payments are processed through Stripe, which is PCI DSS Level 1 compliant (the highest level of payment security). We never see, store, or process your credit card information directly.
π« No Credit Card Storage
We do not store credit card numbers, CVV codes, or billing addresses. All payment data is handled securely by Stripe's infrastructure.
Compliance & Certifications
π SOC 2 Compliance
We are working toward SOC 2 Type II certification. Our security practices align with SOC 2 requirements for security, availability, and confidentiality.
π GDPR & CCPA Compliance
We comply with GDPR (EU) and CCPA (California) privacy regulations. Users can request access, deletion, or export of their data. See our Privacy Policy for details.