How we protect your data.
We’re a small team shipping fast, which means security has to be part of the default workflow — not an afterthought. Here’s what we do today and what we don’t yet claim.
Encryption in transit and at rest
All traffic is served over HTTPS (TLS 1.3). Database, blob storage (Cloudflare R2), and Redis are encrypted at rest by the respective vendors (Neon, Cloudflare, Upstash).
Authentication via NextAuth
Email + password uses bcrypt hashing with account lockout after repeated failed attempts. OAuth via Google, Discord, and Twitch. Session cookies are HTTP-only, secure, and SameSite=Lax.
CSRF + origin verification
Every mutating API route verifies the request origin against our allowed hosts. CSP headers prevent inline scripts. Webhooks from upstream providers are signature-verified when a secret is configured.
Audit logs for sensitive actions
Account changes, billing events, credit deductions, and admin actions are logged with user, timestamp, and action metadata. Logs are retained per our Privacy Policy.
Rate limiting + abuse controls
Per-user and per-IP rate limits via Upstash Redis sliding windows, plus a per-hour AI token-cost ceiling so a single account can’t run up unbounded provider costs.
Supply chain hygiene
npm audit gates on every CI run, blocking moderate-or-higher CVEs. Dependabot is enabled on the repo for automated dependency updates. Code scanning via GitHub CodeQL on every pull request.
Found something? Tell us first.
Mail security@prismposter.comwith a clear reproduction, and we’ll acknowledge within one business day. We commit to:
- No legal action against good-faith reporters acting within scope.
- Credit in our public acknowledgments (unless you prefer anonymity).
- An honest timeline for the fix + public disclosure once the patch ships.
What we don’t yet claim
We don’t have SOC 2 Type II or ISO 27001 certification. We plan to pursue SOC 2 when the customer base justifies the overhead. If that’s a blocker for your procurement team, please mail us and we’ll walk you through what we can provide today (architecture diagrams, data-flow docs, sub- processor list, encryption attestations).