Security & Trust

Security at StackBE

We handle authentication and billing data. Security isn't a feature—it's the foundation everything else is built on.

Our Security Principles

Encrypt Everything

All data is encrypted in transit (TLS 1.2+) and at rest. API keys, tokens, and sensitive fields use additional application-level encryption.

Minimal Access

Principle of least privilege everywhere. API keys are scoped per app. Internal access is role-based with audit logging.

No Credit Card Data

StackBE never touches credit card numbers. All payment data is handled by Stripe, who are PCI DSS Level 1 certified—the highest level.

Transparent Practices

We document our security practices openly. If something changes, we communicate it clearly.

Data Protection

Encryption

•In transit: All API communication uses TLS 1.2 or higher. HSTS headers enforce HTTPS.
•At rest: Database encryption using AES-256. Backups are encrypted.
•API keys: Hashed before storage. Only the key prefix is stored in readable form for identification.
•Tokens: JWT tokens with short expiration. Magic link tokens are single-use and time-limited.

Data Storage

•Database: PostgreSQL hosted on Render with automated backups, point-in-time recovery, and encryption at rest.
•Region: Data hosted in the United States.
•Retention: Customer data retained while account is active. Deleted upon request in accordance with our privacy policy.

API Security

Authentication

• API key authentication for server-to-server calls
• JWT bearer tokens for customer sessions
• Magic link tokens are single-use, expire in 15 minutes
• Rate limiting on all endpoints

Protection

• CORS configuration per app
• Request validation and sanitization
• SQL injection prevention via parameterized queries (Prisma ORM)
• Webhook signature verification

Payment Security (Stripe)

StackBE uses Stripe Connect for all payment processing. This means:

•No card data on our servers. Credit card numbers, CVVs, and sensitive payment data are handled entirely by Stripe. We never see, store, or process card details.
•PCI DSS Level 1. Stripe maintains the highest level of PCI compliance. By using Stripe Checkout, your checkout flow inherits this compliance.
•Your Stripe account. Payments go to your Stripe account via Stripe Connect. You maintain the direct relationship with Stripe and full access to your funds.
•Webhook verification. All Stripe webhooks are verified using Stripe's signing secrets before processing.

Infrastructure Security

Hosting

• API: Render (managed Node.js)
• Dashboard: Vercel
• Marketing site: Cloudflare Pages
• Database: Render PostgreSQL
• All providers SOC 2 certified

Practices

• Environment variables for all secrets
• No secrets in code or version control
• Automated deployments from protected branches
• Dependency vulnerability scanning
• Regular security updates

What Data We Store

Data Type	What We Store	What We Don't
Customer Identity	Email address, name, app associations	Passwords (we use magic links)
Subscriptions	Plan, status, billing dates, Stripe IDs	Payment methods, card numbers
Billing	Invoice references, amounts, status	Full card details, bank accounts
Usage	Usage counts per metric per period	Request payloads or content
Authentication	Session tokens (hashed), login timestamps	Magic link tokens after use

Responsible Disclosure

If you discover a security vulnerability, we want to hear about it. We appreciate responsible disclosure and will work with you to understand and address the issue.

Please report security issues through our contact page with "Security" in the subject. We aim to acknowledge reports within 24 hours and provide a timeline for resolution.

Please do not publicly disclose vulnerabilities until we've had a chance to address them.

Questions?

Security questions are welcome. Reach out through our contact page or review our security documentation for technical details.

Build with confidence

StackBE handles the security-sensitive parts of billing so you don't have to.

Get Started Free