Security at Dexfluence

We take the security of your data seriously. Here's how we protect your account, your brand's sensitive insights, and your payment information.

Infrastructure

• Hosting: Vercel Edge Network with global CDN, DDoS mitigation, and automatic HTTPS.
• Database: Supabase (PostgreSQL) hosted on AWS with VPC isolation, encrypted backups, and point-in-time recovery.
• Encryption at rest: AES-256 for all database tables and object storage.
• Encryption in transit: TLS 1.3 enforced on all endpoints. HSTS enabled.
• Row-Level Security (RLS): Database-level isolation ensures users can only access their own data.

Authentication

• Password hashing: bcrypt with adaptive cost factor (via Supabase Auth).
• Google OAuth: Standard OAuth 2.0 flow with PKCE for browser-based clients.
• Session tokens: JWTs signed with HMAC-SHA256, 1-hour access token expiry, 30-day refresh tokens.
• Meta/Facebook OAuth: Long-lived Page Access Tokens, stored encrypted, revocable at any time.
• Rate limiting: Applied on login, signup, and password reset to prevent brute-force attacks.

Payment Security

We never store credit card or bank details. All payments are processed through PCI DSS Level 1 certified providers:

• Razorpay for INR payments (India).
• Stripe for USD/EUR payments (international).

Razorpay and Stripe are the payment layer — your card data goes directly to them over encrypted channels and never touches our servers.

API Security

• All API endpoints require valid JWT authentication.
• CORS strictly scoped to production domains.
• Per-user rate limits to prevent abuse.
• Input validation on all write endpoints to prevent injection attacks.
• Service role keys never exposed to client code — only used in server-side API routes.

Incident Response

We log security events in real time and review them daily. In the event of a confirmed breach affecting your personal data, we will:

• Notify affected users within 72 hours (GDPR/DPDP Act requirement).
• Publish a post-mortem with root cause and remediation steps.
• Offer identity-protection support where applicable.

Responsible Disclosure

Found a vulnerability? We appreciate security researchers who follow responsible disclosure. Email shikhapatel1507@gmail.com with:

• A clear description of the issue.
• Steps to reproduce.
• Proof of concept (if applicable).

Please do not publicly disclose until we've had a reasonable chance to remediate (typically 90 days). We will acknowledge your report within 48 hours and credit you in our hall of fame if desired.

What You Can Do

• Use a strong, unique password (or use Google Sign-In).
• Enable 2FA on your email account.
• Never share OAuth tokens publicly.
• Report suspicious activity immediately.

Security Contact

Email: shikhapatel1507@gmail.com