Security Policy

Last updated: December 31, 2025

1. Security Overview

Credit Hero is committed to protecting your financial data with enterprise-grade security measures. We follow industry best practices and compliance standards to ensure your information remains safe, secure, and private.

2. Encryption

In Transit (TLS 1.3)

  • All data transmitted over HTTPS with TLS 1.3 encryption
  • Certificate pinning prevents man-in-the-middle attacks
  • Secure WebSocket (WSS) for real-time connections

At Rest

  • Database encryption at rest (Supabase PostgreSQL)
  • Sensitive fields encrypted with AES-256
  • Access tokens encrypted in secure HTTP-only cookies

3. Authentication & Access Control

User Authentication

  • Supabase Auth: Industry-standard JWT tokens with short expiration (1 hour)
  • Password Requirements: Enforced minimum complexity
  • Session Refresh: Automatic token refresh via edge proxy on every request
  • OAuth 2.0: Support for social login (Google, GitHub)

Database Access Control

  • Row-Level Security (RLS) enforces user-data isolation
  • Authenticated users can only access their own data
  • Stripe webhook endpoints authenticated with HMAC-SHA256

Admin Access

  • Admin accounts maintained in separate database table
  • Require explicit admin role designation
  • Admin actions logged for audit trail

4. Third-Party Security

Stripe (Payment Processing)

PCI DSS Level 1 certified. We never store credit card data—Stripe handles all payment processing and encryption.

Plaid (Bank Connections)

SOC 2 Type II certified. Uses Auth product only for account linking. We never access your transaction history. No sensitive financial data stored.

Supabase (Backend)

PostgreSQL with row-level security, automatic backups, and disaster recovery. Data centers in multiple geographic regions.

Vercel (Hosting)

Global edge network with automatic DDoS protection, WAF (Web Application Firewall), and automatic HTTPS.

5. Data Protection Practices

  • Principle of Least Privilege: Users and services only access data they need
  • Data Minimization: We collect only necessary information
  • Regular Backups: Automated daily backups with recovery testing
  • No Unnecessary Copies: Data not copied to personal devices or external storage
  • Secure Deletion: Deleted data overwritten before storage reuse

6. Infrastructure Security

Network Isolation: Database not exposed to public internet; accessed only through authenticated API

API Security: Rate limiting, input validation, CORS policies to prevent abuse

Environment Separation: Production and development environments isolated

Server Updates: Automatic security patches and OS updates

Monitoring: 24/7 system monitoring for intrusion detection

7. Testing & Auditing

  • Regular security code reviews for all changes
  • Automated dependency scanning for vulnerabilities
  • Annual third-party security audits
  • Penetration testing to identify weaknesses
  • Bug bounty program to encourage responsible disclosure

8. Incident Response

In the event of a security incident, we will:

  • Immediately investigate and isolate affected systems
  • Notify affected users within 24 hours (or as required by law)
  • Provide details on what happened, what data was affected, and steps to take
  • Offer free credit monitoring if relevant
  • Report to authorities as legally required
  • Conduct post-incident review to prevent recurrence

For security concerns, contact: security@creditheroapp.com

9. User Responsibilities

  • Passwords: Create strong, unique passwords and change them regularly
  • Logout: Always logout when finished, especially on shared devices
  • Phishing: We will never ask for your password via email or phone
  • Device Security: Keep your devices updated with security patches
  • VPN: Use a VPN on public WiFi networks
  • Reporting: Report suspicious activity immediately

10. Compliance Standards

GDPR (General Data Protection Regulation): EU data protection compliance

CCPA (California Consumer Privacy Act): California privacy rights

PCI DSS (Payment Card Industry): Payment security standards (via Stripe)

SOC 2 Type II: Security and availability controls (our providers certified)

HIPAA-Ready: Designed to be HIPAA compliant for health data integration (future)

11. Vulnerability Disclosure

We appreciate responsible security researchers. If you discover a security vulnerability:

  • Do NOT publicly disclose the vulnerability
  • Email security@creditheroapp.com with details
  • Include reproduction steps and impact assessment
  • We'll respond within 48 hours and work with you on a fix
  • We recognize your contribution (with permission)

12. Security Policy Updates

This policy is updated regularly to reflect security improvements and new threats. We recommend reviewing this policy periodically.

13. Contact Us

Security Issues: security@creditheroapp.com

Data Protection: privacy@creditheroapp.com

General Questions: support@creditheroapp.com