Security

Security at every layer

Enterprise-grade security is not a premium feature — it's the foundation. Every table, every endpoint, every transaction is protected by design.

Start for Free Security Docs

Security layers

RLS

On all tables

SHA-256

Hash chain integrity

BIP39

HD key derivation

Infrastructure

Defense in depth

Row-Level Security

PostgreSQL RLS on all tables

Every database table is protected with Supabase RLS policies. Sellers can only access their own data. Buyers see only their own orders. No exceptions.

Immutable Ledger

SHA-256 hash chain integrity

Every financial transaction is recorded in an append-only ledger with SHA-256 hash chains. Each entry references the previous hash — tampering is cryptographically detectable.

Secure Key Management

In-memory key derivation

The platform master seed is stored exclusively in environment variables, never in the database. Private keys are derived in memory, used for signing, and immediately discarded.

Webhook Verification

HMAC-SHA256 signature verification

Every Stripe webhook is verified using HMAC-SHA256 signatures before processing. Replay attacks are blocked with timestamp validation.

Rate Limiting

Per-IP, per-route throttling

Per-IP and per-route rate limiting on all API endpoints. Brute-force protection on auth endpoints. DDoS mitigation at the edge via Cloudflare.

AI Fraud Detection

9-factor real-time scoring

9-factor risk scoring on every transaction: IP geolocation, device fingerprinting, email reputation, velocity, VPN detection, card BIN, behavioral analysis, purchase history, and address verification.

Input Validation & Sanitization

Zod + sanitization pipeline

All user input is validated with Zod schemas and sanitized before database insertion. XSS, SQL injection, and command injection are prevented at every boundary.

Security Status

All Systems Secure

7/7 security layers active

Row-Level Security

All tables enforced

Active

Immutable Ledger

SHA-256 hash chain

Active

Seed Storage

Env-only, never in DB

Active

Webhook Verification

Stripe signature check

Active

Rate Limiting

Per-IP, per-route

Active

Fraud Detection

9-factor AI scoring

Active

Input Validation

Zod schemas, sanitized

Active

Last security audit2026-03-30 00:00 UTC

Trust

Built for trust, not just compliance

Security is not a feature you add later. Every design decision — from database schema to API endpoints — is built with security as the foundation.

Service Role Isolation

Cross-boundary operations (checkout, webhooks, cron) use a dedicated service client that bypasses RLS. Anon clients are never used for sensitive operations.

Immutable Financial Records

Every ledger entry is append-only with cryptographic hash chains. Deletions and modifications are architecturally impossible. Full audit trail from day one.

Custodial Crypto Security

Crypto funds are held in platform-controlled wallets with HD-derived addresses. Private keys exist only in memory during signing. Immutable ledger tracks every movement.

Your data is safe here

Enterprise-grade security on every plan. No compromises, no premium tiers for basic protection. Security is the default.

Start for Free

Free forever · No credit card required · Full security on every plan

Defense in depth

Row-Level Security

PostgreSQL RLS on all tables

Every database table is protected with Supabase RLS policies. Sellers can only access their own data. Buyers see only their own orders. No exceptions.

Immutable Ledger

SHA-256 hash chain integrity

Every financial transaction is recorded in an append-only ledger with SHA-256 hash chains. Each entry references the previous hash — tampering is cryptographically detectable.

Secure Key Management

In-memory key derivation

The platform master seed is stored exclusively in environment variables, never in the database. Private keys are derived in memory, used for signing, and immediately discarded.

Webhook Verification

HMAC-SHA256 signature verification

Every Stripe webhook is verified using HMAC-SHA256 signatures before processing. Replay attacks are blocked with timestamp validation.

Rate Limiting

Per-IP, per-route throttling

Per-IP and per-route rate limiting on all API endpoints. Brute-force protection on auth endpoints. DDoS mitigation at the edge via Cloudflare.

AI Fraud Detection

9-factor real-time scoring

Input Validation & Sanitization

Zod + sanitization pipeline

All user input is validated with Zod schemas and sanitized before database insertion. XSS, SQL injection, and command injection are prevented at every boundary.