Security at CertificateWatch
Your certificate data is confidential. We take data protection seriously and rely on proven security standards.
🔐
Authentication
- ✓JWT tokens in HTTP-only cookies (no localStorage)
- ✓Token expiry after 7 days
- ✓Secure & SameSite cookie flags in production
- ✓Passwords hashed with bcrypt (salt rounds: 10)
- ✓Password reset via token (valid for 1 hour)
🛡️
Brute-Force Protection
- ✓Rate limiting on login (5 attempts / 15 min)
- ✓Rate limiting on password reset (3 / hour)
- ✓API rate limiting (100 requests / minute / org)
- ✓IP-based detection and blocking
👥
Access Control
- ✓Role-based: User, Admin, Platform Admin
- ✓Organization-level data separation (multi-tenancy)
- ✓API keys stored as SHA-256 hash (never in plaintext)
- ✓API keys revocable at any time
📋
Audit & Logging
- ✓Audit logs for all admin actions
- ✓Captures: user, action, timestamp, IP address
- ✓Cron job logs with error classification per source
- ✓Alert history: who was notified when
🏗️
Infrastructure
- ✓Hosted on Vercel (automatic HTTPS)
- ✓Database: Supabase PostgreSQL (EU region)
- ✓Encrypted connections (TLS 1.2+)
- ✓No production database access without service role key
📧
Communication
- ✓Email delivery via Resend (SPF/DKIM verified)
- ✓No sensitive data in email alerts
- ✓Reset tokens single-use only
Responsible Disclosure
Found a security vulnerability? Please report it responsibly to:
security@certificatewatch.comWe take every report seriously and respond within 48 hours. Please do not publish details until we have resolved the issue together.
Convinced by our security?
Start your free 14-day trial and see our security standards firsthand.
Start Free Trial