Security & compliance
Every primitive listed below is wired in this repo today. It helps legal, security, and procurement reviewers inspect the system without claiming certification.
Security- and compliance-relevant events are written to an append-only, hash-linked Postgres table. Every row carries the sha256 of the previous row, RLS policies refuse UPDATE/DELETE at the database, and a daily verifier cron flags any tampering. This is evidence scaffolding for qualified SOC 2, HIPAA, or SEC review, not a certification claim.
src/libs/AuditChain.ts + migration 0016-audit-chainUsers can request a full data export (gzipped JSON of every row tied to their account, signed download link, 24h TTL) and can schedule deletion with a 30-day grace window. The cancel flow uses a single-use token emailed to the user. FK cascades clean every product table on hard delete.
src/actions/account.ts + data_exports tableProduction routes ship with Content-Security-Policy (default-src 'self', frame-ancestors 'none'), HSTS (max-age 2 years, preload), X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, and a Permissions-Policy that locks down camera, microphone, and geolocation. Discoverable security contact at /.well-known/security.txt (RFC 9116).
next.config.ts headers() + /.well-known/security.txtEvery state-mutating endpoint accepts an Idempotency-Key header. Same key + same body replays the cached response with Idempotency-Replayed: true. Same key + different body returns 409. Stripe webhooks are keyed on Stripe-Event-Id so retries never fire audit rows or notifications twice.
src/libs/Idempotency.ts + migration 0019-idempotencyEvery API key, database password, and HMAC secret is loaded from the environment via a strongly-typed Env module. No secret is shipped to the client bundle — server-only modules are statically analyzed. Local development uses .env.local; production reads from the platform's secret store.
src/libs/Env.ts (zod-validated, server-only)We publish a discoverable contact at /.well-known/security.txt with our security email and policy URL. Researchers can submit findings privately; we acknowledge within 48 hours and target a fix or mitigation timeline within 7 days for high-severity issues.
/.well-known/security.txtDownload our standard procurement documents. These templates use bracketed placeholders — replace them with your company details before signing.
GDPR
Data Processing Agreement
GDPR Article 28 contract between you (Controller) and us (Processor). 14 sections covering sub-processors, SCCs, breach notification, and audit rights.
View template
HIPAA
Business Associate Agreement
45 CFR §164.504(e) agreement for handling Protected Health Information. 11 sections covering permitted uses, obligations, and termination.
View template