πŸ”’

Security at DIFFSCOUT

Your data security is our priority. Here's how we protect your information.

πŸ”

Authentication & Access

  • βœ“OAuth 2.0 authentication via Clerk (Google, GitHub, Microsoft)
  • βœ“No passwords stored - delegated authentication only
  • βœ“Per-request user validation on all API endpoints
  • βœ“Session tokens with automatic expiration
πŸ›‘οΈ

Data Protection

  • βœ“All data encrypted in transit (TLS 1.3)
  • βœ“PostgreSQL database with SSL connections required
  • βœ“User data isolated by account (multi-tenant architecture)
  • βœ“Screenshots stored securely with ownership verification
πŸ”’

API Security

  • βœ“Rate limiting on all endpoints (per-user and per-IP)
  • βœ“Request validation and sanitization
  • βœ“SQL injection prevention via parameterized queries
  • βœ“CORS headers properly configured
πŸ“Š

Monitoring & Compliance

  • βœ“Audit logging for all API actions
  • βœ“Request IDs for full traceability
  • βœ“Error tracking without exposing sensitive data
  • βœ“Regular security reviews and updates
🌐

Infrastructure

  • βœ“Built on SOC 2 compliant infrastructure
  • βœ“Hosted on Railway (SOC 2 Type II certified)
  • βœ“Database on Neon PostgreSQL (SOC 2 Type II certified)
  • βœ“Authentication via Clerk (SOC 2 Type II certified)
  • βœ“Payment processing via Stripe (PCI DSS Level 1)
  • βœ“No customer payment data stored on our servers
🚫

What We Don't Do

  • βœ“We don't sell or share your data with third parties
  • βœ“We don't access pages behind your login credentials
  • βœ“We don't store passwords (OAuth only)
  • βœ“We don't track you outside of our service

Security Questions?

If you have security concerns or want to report a vulnerability, please contact us.

security@diffscout.com