Security

How we protect subscriber data

Public-data-only architecture means most of our security surface is small by design: we never see card numbers, never store passwords, and never collect sensitive personal categories. The controls below cover what we do handle: subscriber email, Stripe customer IDs, share tokens, and our own admin tooling.

Transport security

HSTS preload (max-age=63072000; includeSubDomains; preload) — included in the Chromium HSTS preload list.
TLS 1.2+ only; cipher suites curated by Vercel's edge.
Strict CSP (default-src 'self') with auditable allowlist for PostHog EU and inline scripts.
X-Frame-Options: DENY (no embedding).
Referrer-Policy: strict-origin-when-cross-origin.
Permissions-Policy blocks camera, microphone, geolocation site-wide.

Email security

SPF, DKIM, DMARC p=quarantine on the gitdealflow.com sending domain.
MTA-STS policy at /.well-known/mta-sts.txt — inbound mail enforce mode.
TLS-RPT reporting on _smtp._tls.gitdealflow.com.
Resend handles transactional sends; audience hygiene tracked in lib/excluded-emails.mjs.

Authentication & secrets

No user passwords. Free signups: email-only opt-in. Paid users: API keys (gdf_v2.cus_xxx.<hmac>) bound to a Stripe customer ID.
Share tokens are URL-safe random IDs scoped to a single resource, with no enumeration vector.
Admin tools: hardware-key MFA on Vercel, Stripe, Resend, GitHub. No shared admin credentials.
Operator x402 wallet uses Coinbase CDP Server Wallet v2 — Wallet Secret stored in Vercel encrypted env.

Vulnerability disclosure

We follow the disclose.io core terms. Safe harbor for good-faith research, 72-hour acknowledgement SLA, attribution on the hall-of-fame page (or anonymous, your choice).

Full policy: /disclosure
RFC 9116 contact: /.well-known/security.txt
Machine-readable: /.well-known/disclosure.json, /.well-known/security-policy.json

Subprocessor controls

We rely on the SOC 2 Type II / ISO 27001 footprints of upstream processors for the foundation: Stripe (PCI-DSS Level 1), Vercel, Resend, PostHog EU, Hetzner. Full inventory and DPAs at /subprocessors.

Incident response

72-hour breach notification to subscribers (GDPR Art. 33).
Public corrections log at /corrections.
Annual transparency report at /transparency with a standing warrant canary.
Status surface at /uptime.

How we protect subscriber data

Transport security

HSTS preload (max-age=63072000; includeSubDomains; preload) — included in the Chromium HSTS preload list.

TLS 1.2+ only; cipher suites curated by Vercel's edge.

Strict CSP (default-src 'self') with auditable allowlist for PostHog EU and inline scripts.

X-Frame-Options: DENY (no embedding).

Referrer-Policy: strict-origin-when-cross-origin.

Permissions-Policy blocks camera, microphone, geolocation site-wide.

Authentication & secrets

No user passwords. Free signups: email-only opt-in. Paid users: API keys (gdf_v2.cus_xxx.<hmac>) bound to a Stripe customer ID.

Share tokens are URL-safe random IDs scoped to a single resource, with no enumeration vector.

Admin tools: hardware-key MFA on Vercel, Stripe, Resend, GitHub. No shared admin credentials.

Operator x402 wallet uses Coinbase CDP Server Wallet v2 — Wallet Secret stored in Vercel encrypted env.

Vulnerability disclosure

We follow the disclose.io core terms. Safe harbor for good-faith research, 72-hour acknowledgement SLA, attribution on the hall-of-fame page (or anonymous, your choice).