Security

We design our systems with security in mind from the ground up and align our practices with widely recognized industry frameworks, including the NIST Cybersecurity Framework, CIS Benchmarks, and OWASP guidelines. Security is treated as an ongoing program, not a one-time effort.

Data is encrypted in transit using TLS 1.2 or higher, and data is encrypted at rest using AES-256. Credentials and access tokens are stored encrypted and are never exposed in plaintext.

We operate on a zero trust architecture and enforce the principle of least privilege: every request is authenticated and authorized, and access to systems and data is granted only as needed. Administrative access is protected with strong authentication and multi-factor authentication (MFA).

Our applications run on reputable cloud infrastructure providers that maintain robust physical and network security controls and recognized compliance certifications, with configurations hardened in line with CIS Benchmarks. We follow secure development practices aligned with the OWASP guidelines, keep dependencies updated to address known vulnerabilities, apply layered protections against spam, fraud, and abuse, review changes before they reach production, and monitor our systems for anomalies.

We are committed to complying with applicable data protection and privacy laws across the jurisdictions in which our users operate. These include, among others:

• California — the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).
• New York — the Stop Hacks and Improve Electronic Data Security (SHIELD) Act.
• European Union & United Kingdom — the General Data Protection Regulation (GDPR) and UK GDPR.
• Other applicable U.S. state and international data protection laws.

For details on what we collect and how we use it, see our Privacy Policy.

We maintain processes to detect, respond to, and remediate security incidents. In the event of a data breach affecting personal information, we will notify affected individuals and the appropriate authorities as required by applicable law.

We welcome reports from security researchers. If you believe you have discovered a security vulnerability in our website or services, please contact us with the details. We ask that you give us a reasonable opportunity to investigate and remediate before any public disclosure, and that you avoid accessing or modifying data that is not your own.

If you have questions about our security practices, we’d be happy to help.