ExpediteMySite.com
Trust posture

Security at ExpediteMySite

We are a small, founder-led service. We take customer data security seriously because we have to - one mistake and the whole business goes away. This page is the same reference we give to procurement teams during security review.

The six pillars

Encrypted everywhere

AES-256 at rest on Supabase Postgres. TLS 1.3 in transit. HSTS preloaded with a two-year max-age. No customer data ever traverses the public internet unencrypted.

Row-level security

Every database table has RLS enabled. Application code authenticates each customer with a JWT-validated session before any project, order, or AI preview is returned. Service-role access is server-side only.

Append-only audit log

Every project creation, payment event, refund, and admin action is written to an audit log that cannot be updated or deleted - even by our own service role. We can reconstruct every state change.

Stripe-grade payments

We never touch raw card data. Stripe Checkout handles the payment surface and PCI scope. Webhooks are signature-verified, livemode-checked, and replay-protected via idempotent event IDs.

Rate-limited and CSRF-protected

Login, signup, and intake endpoints rate-limit by IP and email. State-changing API routes verify the request Origin so a malicious site cannot make a request on a signed-in user's behalf.

PII-redacting logs

Every log line passes through a server-side redactor that masks emails, phone numbers, JWTs, and provider secrets before the log leaves the process. We cannot accidentally leak PII into Vercel's log drain.

Controls reference

Mapped to the same domains we'd answer in a SOC 2 / vendor questionnaire.

Identity & access

  • Email + password authentication via Supabase Auth (signature-verified JWT sessions).
  • Role-based access control: customer, admin. Admin pages gate every load against profiles.role.
  • Project ownership checks on every project-scoped API route.
  • HMAC-signed capability tokens for the onboarding flow (1-hour TTL).

Network & transport

  • TLS 1.3 via Vercel.
  • HSTS: max-age 63072000; includeSubDomains; preload.
  • Strict CSP with narrow script-src/connect-src/frame-src allowlists.
  • Frame-ancestors 'none', X-Frame-Options DENY (clickjacking defense).
  • Permissions-Policy locks down camera, mic, geolocation, and interest cohorts.

Data protection

  • AES-256 encryption at rest on Postgres.
  • Row-level security enabled and policy-enforced on every public table.
  • Append-only audit_log table with database-level triggers blocking UPDATE and DELETE.
  • Stripe webhook events stored with idempotent event IDs to prevent replay.
  • PII-redacting structured logger (emails, phones, JWTs, secrets masked).

Application input/output

  • Zod schema validation on every API route body.
  • Prompt-injection defenses on AI input: length caps, role-marker stripping, hidden-character normalization, delimiter framing.
  • Schema-validated AI output. Invalid model output is rejected, never persisted as if valid.
  • Cost-amplification caps on expensive LLM endpoints.

Operations

  • Quarterly vendor reviews of all sub-processors.
  • Incident response runbook with defined SEV1-4 SLAs.
  • Postgres point-in-time recovery (7-day window).
  • Secrets stored in Vercel environment variables; rotation policy documented.

Privacy rights

  • GDPR Article 15 (access): GET /api/account/export returns a machine-readable JSON of every record we hold about the signed-in user.
  • GDPR Article 17 (erasure): POST /api/account/delete schedules deletion with a 30-day grace period.
  • Data minimization: we do not log raw request bodies.
  • Sub-processor list maintained at runbooks/vendor-register.md and surfaced to customers on request.

Sub-processors

Vendors that process customer data on our behalf. We have a signed Data Processing Agreement with each one and review them quarterly.

VendorRoleRegion
VercelHosting & serverless computeUnited States
SupabasePostgres, auth, storageUnited States
StripePaymentsUnited States / Ireland
OpenAILLM inference (sanitized intake only)United States
ResendTransactional emailUnited States
UpstashRate-limit counters (no PII)United States

Where we're still maturing

We publish what's shipped and what isn't. Today the following are tracked improvements, not deployed controls.

In-flight

  • - External error tracking (Sentry) with PII scrubbing.
  • - Column-level encryption on free-text intake fields (pgsodium).
  • - CSP nonce + strict-dynamic to drop ‘unsafe-inline’ on scripts entirely.
  • - Independent third-party penetration test.
  • - SOC 2 Type 1 readiness assessment.

Report a vulnerability

If you believe you've found a security issue, please email us before disclosing publicly. We will respond within one business day, work with you on a fix, and credit you (if you want credit) once the issue is patched.

hello@expeditemysite.com

PGP key on request

Related references:

Privacy Policy Terms of Service Refund Policy