Protecting your data is foundational to everything we build. This page describes the technical and organizational measures we employ to keep your information safe.
Last Updated: March 2026
AES-256 Encryption
Field-level encryption for sensitive data
2FA Enabled
TOTP two-factor authentication
12+ Rate Limit Tiers
Cache-backed with graduated response
Isolated Tenant Data
Full multi-tenant separation
1. Infrastructure & Hosting
Kontraktr™ runs on hardened, production-grade cloud infrastructure designed for reliability and security.
Application hosting:Vercel's edge network provides automatic scaling, geo-distributed deployments, and built-in DDoS mitigation across hundreds of global points of presence.
Database: Enterprise-grade serverless PostgreSQL with automatic failover, point-in-time recovery, and encrypted storage.
Web Application Firewall: Enterprise WAF sits in front of all traffic, providing DDoS protection, bot mitigation, and malicious request filtering.
Connection pooling: Enterprise-grade connection pooling is enforced on all database connections to prevent connection exhaustion and ensure stable performance under load.
Configuration validation: Every required system setting is checked at application startup. Missing or malformed configuration prevents the application from starting, eliminating misconfiguration risks in production.
2. Data Encryption
All data is encrypted both in transit and at rest using industry-standard cryptographic protocols.
In Transit
TLS 1.2 or higher is required for every connection. Older protocols are rejected.
HTTP Strict Transport Security (HSTS) is enforced with a max-age of two years, includeSubDomains, and the preload directive, ensuring browsers never fall back to unencrypted HTTP.
The upgrade-insecure-requests CSP directive automatically elevates any residual HTTP references to HTTPS.
At Rest
Neon encrypts all stored data using AES-256 at the storage layer.
Field-level encryption: Sensitive values such as OAuth tokens, API keys, and webhook secrets receive an additional layer of AES-256-GCM encryption before being written to the database. Each value is encrypted with a unique initialization vector.
Encryption keys are derived using industry-standard key derivation with domain-separated salts, ensuring that a compromise of one key context does not affect others.
3. Authentication & Access Control
We employ defense-in-depth for authentication, combining strong password handling with session management, multi-factor authentication, and role-based permissions.
Password Security
Passwords are hashed using an adaptive, memory-hard algorithm with a work factor tuned to modern hardware. Plaintext passwords are never stored or logged.
Breached password detection: During registration and password changes, passwords are checked against the Have I Been Pwned database using the k-anonymity API, which verifies breach status without ever transmitting the full password.
Account lockout: After 5 consecutive failed login attempts, the account is temporarily locked for 15 minutes to resist brute-force attacks.
Sessions & Tokens
JWT-based sessions use short-lived access tokens (15 minutes) paired with refresh token rotation.
Refresh token family tracking: Each refresh token belongs to a token family. If a previously-used refresh token is presented again (indicating potential theft), the entire token family is immediately revoked.
All active sessions are invalidated when a user changes their password.
Deactivated user accounts are force-signed-out within 5 minutes via background session checks.
Two-Factor Authentication
TOTP-based two-factor authentication is available for all users and can be enforced by organization administrators.
Backup codes are generated during 2FA setup and stored as SHA-256 hashes, not in plaintext.
Role-Based Access Control
Three role tiers — Admin, Sales Rep, and Employee — restrict what data each user can view, create, or modify.
RBAC checks are enforced server-side on every API request; client-side UI restrictions are supplementary, not authoritative.
4. Application Security
Multiple layers of HTTP-level defenses protect the application against common web vulnerabilities including XSS, clickjacking, CSRF, and data injection.
Content Security Policy (CSP): A strict CSP is applied to every response with per-request cryptographic nonces, preventing unauthorized script execution. Violation reports are collected and monitored.
CSRF protection: Origin-based validation is enforced on all state-mutating (non-GET) requests.
HTML sanitization: User-generated content is sanitized both server-side and client-side using DOMPurify to prevent stored and reflected cross-site scripting.
X-Frame-Options:DENY combined with the frame-ancestors 'none' CSP directive blocks all framing to prevent clickjacking.
Referrer-Policy:strict-origin-when-cross-origin limits information leakage in referrer headers.
Permissions-Policy: Camera, microphone, and geolocation APIs are explicitly disabled.
5. Rate Limiting
Abuse prevention is enforced at multiple layers with fine-grained, route-specific rate limits.
Rate limiting is backed by a distributed cache for accuracy, with an automatic in-memory fallback if the cache is unavailable to ensure protection is never bypassed.
12+ distinct rate limit tiers cover login attempts, public form submissions, webhook ingestion, general API calls, file uploads, AI feature usage, PIN verification, and more.
Exceeded limits return a 429 Too Many Requests response with a Retry-After header indicating when the client may retry.
6. Multi-Tenant Data Isolation
Kontraktr™ is a multi-tenant platform. Strict isolation guarantees that no tenant can access another tenant's data, even in the event of application-level bugs.
Each tenant's database context is set via AsyncLocalStorage, providing request-scoped isolation that cannot leak between concurrent requests.
Tenant identity is determined from the subdomain at the middleware level before any application logic executes.
File storage is prefixed per tenant, preventing cross-tenant file access at the storage layer.
Suspended or deactivated tenant accounts are blocked at the middleware layer, returning a TenantSuspendedError before any data access occurs.
A reserved subdomain list (admin, www, api, mail, and others) prevents namespace collisions.
Custom domain support includes verified tenant resolution to ensure that custom domains resolve only to their verified tenant.
7. Payment Security
Kontraktr™ never handles raw credit card data. All payment processing is fully delegated to Stripe.
Stripe is PCI DSS Level 1 certified — the highest level of payment security compliance. Credit card numbers, CVVs, and bank account details are collected and stored exclusively by Stripe.
Stripe Connect is used for tenant payouts, keeping payout credentials and banking details within Stripe's certified environment.
All incoming Stripe webhook payloads are verified using timing-safe HMAC signature comparison to prevent forged webhook attacks.
8. Third-Party Integration Security
External integrations are treated as untrusted by default. Every inbound webhook and outbound API call follows strict security controls.
Webhook signature verification: Inbound webhooks from Stripe, Twilio, QuickBooks, Shopify, and Square are validated using timing-safe HMAC comparison. Requests with missing or invalid signatures are rejected.
Circuit breaker pattern: Outbound calls to third-party services use a circuit breaker that opens after repeated failures, preventing a single degraded service from cascading into broader system instability.
Encrypted credentials: OAuth tokens and API keys for integrations are encrypted with AES-256-GCM before storage and decrypted only at the moment of use.
9. Monitoring & Incident Response
Continuous monitoring enables rapid detection and response to anomalies.
Structured logging: All application logs are structured JSON and shipped to Axiom for centralized analysis, alerting, and long-term retention.
Request tracing: Every request receives a unique correlation ID (x-request-id) enabling end-to-end tracing across services.
Error tracking: Sentry captures and alerts on unhandled exceptions, including stack traces and request context.
CSP monitoring: Content Security Policy violations are reported to a dedicated endpoint for analysis and triage.
Automated circuit breakers: Failing external services are automatically isolated to prevent cascading degradation.
Incident notification: In the event of a security incident affecting customer data, we are committed to notifying affected customers within 72 hours.
10. Security Testing
Automated testing validates that security controls work as intended and are not accidentally regressed.
End-to-end security test suites cover authentication flows, input validation, and multi-tenancy isolation boundaries.
Dedicated RBAC enforcement tests verify that each role can only access resources and actions appropriate to its permission level.
TOTP enrollment, verification, and account lockout flows are covered by unit tests.
Dependency auditing (npm audit) is run regularly to detect and remediate known vulnerabilities in third-party packages.
11. Compliance
We design our systems and processes to meet recognized privacy and security standards.
CCPA / GDPR: Our Privacy Policy details the data rights available to California residents and individuals in the European Economic Area, including access, correction, deletion, and portability.
Data Processing Agreement: A DPA is available for customers who require a formal data processing agreement.
Terms of Service: Our Terms of Service govern the use of the platform.
SOC 2 Type II: Planned and on our security roadmap. See the roadmap section below for details.
12. Responsible Disclosure
We welcome responsible disclosure from security researchers and take all reports seriously.
If you discover a security vulnerability in Kontrol™, please report it to:
