Security & Trust

This page details how PositiveBacklink protects user data and how to report vulnerabilities. We treat security as an ongoing commitment, not a checkbox.

Data protection

• Encryption in transit: TLS 1.3 enforced via Cloudflare with HSTS preload (2-year max-age, includeSubDomains).
• Encryption at rest: All user data is stored in Supabase Postgres with AES-256 encryption on disk and automated daily backups.
• Password storage: Bcrypt with cost factor 10, salted per-user. Passwords are never logged or visible in plaintext.
• Session tokens: JWT with 1-hour access token, 7-day refresh token, rotated on every refresh.

Security headers

Every response includes the following headers (verifiable via securityheaders.com):

Authentication

• Email + password with mandatory verification
• OAuth via Google (optional)
• Magic-link sign-in available on request
• Two-factor authentication (TOTP) coming Q3 2026

Infrastructure

• Edge: Cloudflare with DDoS mitigation and WAF rules
• Compute: Vercel serverless functions in iad1, fra1, sin1 regions
• Database: Supabase Postgres with Row-Level Security on every table
• Secrets: Vercel Environment Variables, encrypted at rest, never logged

Vulnerability disclosure

If you discover a security vulnerability, please email security@positivebacklink.com with:

• Description of the issue and affected endpoint(s)
• Proof-of-concept request or video
• Suggested severity and impact

We commit to:

• Acknowledge within 48 hours
• Triage and assign severity within 5 business days
• Notify affected users if data exposure is confirmed
• Credit reporters in our Hall of Fame (with consent)

Compliance roadmap

• GDPR: Compliant. Data processing agreement available on request.
• SOC 2 Type II: Audit scheduled Q1 2027
• HIPAA / FedRAMP: Not in scope