Security First

Security Built Into Every Layer

LoyaltyHQ is built from the ground up with multi-tenant isolation, encryption, and defense-in-depth security controls.

Security Architecture

Core security controls built into the platform

AES-256-GCM Encryption

Tenant credentials encrypted at rest

Row-Level Security

PostgreSQL RLS on all tenant tables

Bcrypt API Key Hashing

API keys hashed before storage

CSRF Protection

Constant-time token comparison

Security Features

Defense in Depth

Multiple layers of security protect your data at every level

Encryption

Tenant credentials are encrypted at rest using AES-256-GCM. All traffic is encrypted in transit via TLS. API keys are hashed with bcrypt before storage.

Tenant Isolation

Supabase PostgreSQL with Row-Level Security (RLS) enforced on all tenant tables. Every query is scoped to the authenticated tenant, preventing cross-tenant data access.

Role-Based Access Control

Five-tier RBAC model: super_admin, tenant_owner, tenant_admin, tenant_user, and partner. API route guards enforce permissions at every endpoint.

Audit Logging

Structured audit logs for all critical actions including points transactions, redemptions, partner management, and configuration changes.

CSRF & Rate Limiting

CSRF protection via cookie-based tokens with constant-time comparison. Rate limiting powered by Upstash Redis with fail-closed behavior in production.

Security Headers

Content Security Policy, HSTS, X-Frame-Options, and other security headers configured. Server-only guards prevent secret-bearing modules from leaking to the client.

CI/CD Security

Automated Security Checks

Every code change goes through automated security checks before it reaches production.

Dependency Scanning

npm audit runs in CI on every pull request to catch known vulnerabilities in dependencies.

Secret Scanning

TruffleHog scans every commit for accidentally committed secrets, tokens, and credentials.

Pre-Commit Hooks

Husky and lint-staged enforce linting and formatting checks before code is committed.

API Guard Verification

CI checks verify that all API routes use proper authentication and authorization guards.

RLS Coverage Checks

Automated checks ensure Row-Level Security policies are applied to all tenant-scoped tables.

Atomic Database Operations

Critical operations like points awarding, redemptions, and refunds use PostgreSQL RPC functions for atomicity.

Data Handling

Your Data, Your Control

We believe you should have complete control over your data. Here's how we handle it.

Data Minimization

We only collect and retain data necessary for providing our services.

Data Retention

Configurable retention policies with secure data deletion upon request.

Data Portability

Export your data anytime in standard formats. Your data belongs to you.

Data Location

Data is stored in AWS us-west-2 (Oregon) via Supabase managed PostgreSQL.

Infrastructure

Hosted on Modern Cloud Infrastructure

LoyaltyHQ runs on Vercel's edge network for the application layer and Supabase managed PostgreSQL (AWS us-west-2) for the data layer. Payment processing is handled entirely by Stripe with webhook idempotency and replay protection.

Vercel

Edge Application Hosting

Supabase

Managed PostgreSQL + Auth

Stripe

PCI-Compliant Payments

Enterprise Security Features

For organizations with advanced security requirements, we offer additional enterprise features and compliance support.

Audit Log API Access

Custom Data Retention

BAA/DPA Agreements

Responsible Disclosure

Found a security vulnerability? We appreciate responsible disclosure. Please report security issues to our security team.