Security at ValidKit
ValidKit is committed to protecting your data with industry-standard security practices and enterprise-grade infrastructure.
Infrastructure Security
Hosting & Infrastructure
- API Hosting: Vercel (SOC 2 Type II certified)
- Database: Supabase (ISO 27001 certified)
- CDN & DDoS Protection: Cloudflare
- Payment Processing: Stripe (PCI DSS Level 1)
Encryption
- Data in Transit: TLS 1.3 for all API traffic
- API Keys: Hashed with bcrypt before storage
- Database: Encrypted at rest (AES-256)
- Backups: Encrypted and geo-replicated
Data Protection
Email Privacy (Core Principle)
Email addresses submitted for validation are NEVER stored permanently.
- Processed in-memory only during validation
- Immediately discarded after response
- Hashed (SHA-256) before logging for debugging
- No email PII in application logs
Data Retention
- Validation Results Cache: 30 days maximum (automatic deletion)
- Application Logs: 30 days (hashed emails only)
- Account Data: Until account deletion + 30 days
- Billing Records: 7 years (tax law requirement)
Access Control
API Authentication
- API Key Authentication: X-API-Key header required
- Key Rotation: Self-service key rotation via Dashboard
- Key Storage: Bcrypt hashed, never stored in plaintext
- HTTPS Only: HTTP requests automatically upgraded
Rate Limiting
- Multi-Layer Protection: API key, IP address, domain-based limiting
- Abuse Prevention: Email enumeration attack detection
- DDoS Protection: Cloudflare enterprise protection
- Fair Use: Rate limits prevent service abuse
Internal Access
- Principle of Least Privilege: Role-based access control
- Multi-Factor Authentication: Required for all admin access
- Access Logging: All administrative actions logged
- Regular Audits: Quarterly access reviews
Monitoring & Incident Response
Real-Time Monitoring
- Uptime Monitoring: Multi-region health checks every 60 seconds
- Performance Tracking: P50, P95, P99 response time monitoring
- Error Alerting: Real-time alerts for elevated error rates
- Security Events: Automated detection of suspicious activity
Incident Response
- Breach Notification: 72 hours (GDPR Article 33 compliant)
- Incident Team: Dedicated on-call engineering team
- Post-Mortem: Root cause analysis for all incidents
- Communication: Status page + email notifications
Compliance & Certifications
CCPA Compliant
California Consumer Privacy Act compliance. California residents' rights honored.
SOC 2 Ready Infrastructure
Built on SOC 2 Type II certified infrastructure (Vercel). Enterprise: custom security agreements available.
Responsible Disclosure
Found a security vulnerability? We appreciate responsible disclosure.
How to Report
- Email: [email protected]
- PGP Key: Available upon request for encrypted communication
- Response Time: Initial response within 48 hours
Our Commitment
- Fix timeline: Critical (24h), High (7 days), Medium (30 days)
- Public disclosure coordinated with researcher
- Security researcher credit (if desired)
- Bug bounty: Case-by-case basis for verified vulnerabilities
Third-Party Services
ValidKit relies on enterprise-grade third-party services with strong security credentials:
| Service | Purpose | Security |
|---|---|---|
| Vercel | API Hosting | SOC 2 Type II |
| Supabase | Database | ISO 27001 |
| Stripe | Payment Processing | PCI DSS Level 1 |
| Cloudflare | CDN & DDoS Protection | ISO 27001 |
Full list of sub-processors available in our Data Processing Agreement.
Questions?
Have security questions or need more information?
- Security Inquiries: [email protected]
- Privacy Requests: [email protected]
- General Support: [email protected]
Enterprise Security Requirements? We offer custom security agreements, dedicated support, and enhanced SLAs for enterprise customers. Contact [email protected]