How we protect your data.

Infrastructure

• API + dashboard run on Cloudflare Workers (edge, DDoS-protected by default)
• Database: Neon Postgres in EU region (eu-central-1, Frankfurt), encrypted at rest, TLS 1.3 in transit
• Connection pooling via Cloudflare Hyperdrive with prepared-statement isolation
• Secrets stored as Worker secrets (encrypted, not visible in logs)

Authentication

• Dashboard sign-in via Google OAuth or magic link (Resend), session cookies are httpOnly + sameSite=lax + secure
• API authentication via scoped API keys (read / write / admin), sent as Authorization: Bearer ...
• Per-key rate limits, per-IP rate limits, Turnstile on marketing intake

Data handling

• Every API call is scoped to one organization; cross-tenant access is impossible at the middleware layer
• All inputs validated with Zod schemas before reaching the database
• Outputs sanitized with DOMPurify before render where HTML is allowed
• Operational logs retained 30 days, then deleted
• Account deletion: 30-day soft delete, then full purge from primary DB and backups within 90 days

Reporting a vulnerability

Found something? Email security@thefaq.app with subject "Security disclosure". Include:

• Reproduction steps
• Impact assessment from your side
• Your handle (if you want public credit)

We respond within 48 hours, fix within an agreed window proportional to severity, and credit reporters on a hall-of-fame page once the fix ships. We don't pay bounties today; we'll move to a paid program once revenue justifies it.

What we're not

We don't have SOC 2 today. We don't claim HIPAA or PCI scope. Enterprise customers can request a DPA and a security questionnaire response.