Skip to content

Security

How we protect your data.

Last updated: 2026-05-19

Infrastructure

  • API and dashboard run on a globally distributed edge platform with built-in DDoS protection
  • Managed PostgreSQL hosted in the EU, encrypted at rest with TLS 1.3 in transit
  • Database access runs over pooled, isolated connections
  • Secrets are held in an encrypted secrets store and never appear in logs

Authentication

  • Dashboard sign-in via Google OAuth or magic link (Resend), session cookies are httpOnly + sameSite=lax + secure
  • API authentication via scoped API keys (read / write / admin), sent as Authorization: Bearer ...
  • Per-key rate limits, per-IP rate limits, Turnstile on marketing intake

Data handling

  • Every API call is scoped to one organization; cross-tenant access is impossible at the middleware layer
  • All inputs validated with Zod schemas before reaching the database
  • Outputs sanitized before render where HTML is allowed
  • Operational logs retained 30 days, then deleted
  • Account deletion: 30-day soft delete, then full purge from primary DB and backups within 90 days

Reporting a vulnerability

Found something? Email security@thefaq.app with subject "Security disclosure". Include:

  • Reproduction steps
  • Impact assessment from your side
  • Your handle (if you want public credit)

We respond within 48 hours, fix within an agreed window proportional to severity, and credit reporters on a hall-of-fame page once the fix ships. We don't pay bounties today; we'll move to a paid program once revenue justifies it.

What we're not

We don't have SOC 2 today. We don't claim HIPAA or PCI scope. Enterprise customers can request a DPA and a security questionnaire response.