Security

Traffic is served over HTTPS. Your license number is encrypted at the application layer before storage, so it is not readable directly from the database. Certificate files are stored in a private bucket and accessed only through short-lived signed URLs.

Every user-data table has row-level security enabled and default-deny by policy. Queries are always scoped to the signed-in user, so one user’s licenses, credits, and certificates are never visible to another. Cross-tenant isolation is tested.

Access to your account is protected by:

• Email-and-password or passwordless magic-link sign-in, handled by our authentication provider.
• Rate limiting on sign-in and password-reset requests to slow brute-force and abuse.
• A current-password check before any in-app password change, so an unlocked session cannot silently lock you out.

Secrets and privileged keys are kept server-side only and never shipped to the browser. User records are soft-deleted rather than hard-deleted, and changes to your CPE records are written to an append-only history for an audit trail.

If you believe you’ve found a security issue, please report it to us through the Help & support page rather than disclosing it publicly, and give us a reasonable opportunity to address it. A dedicated security contact will be published with the reviewed policy.