Skip to main content

Trust

Security & Trust

Framework, controls, and certifications

Overview

Endorsr is built with security as a foundational principle. We use a defence-in-depth approach combining encryption, access controls, audit logging, and continuous monitoring.

Data Encryption

At rest: AES-256 encryption for all database and file storage. Encryption keys managed by Supabase/KMS.
In transit: TLS 1.3 enforced for all network communications. HSTS enabled. No unencrypted HTTP endpoints.
End-to-end: Payment data is handled entirely by Stripe — Endorsr never stores raw card numbers or banking details.

Access Control

  • Row-level security (RLS) enforced at the database level for all user data
  • Service role keys restricted to Supabase Edge Functions — never exposed client-side
  • Multi-factor authentication available for all accounts
  • Session management with configurable expiry via Supabase Auth
  • Principle of least privilege applied to all internal access

Audit Logging

All content review actions, administrative changes, and sensitive operations are recorded in an immutable, append-only audit log. Each entry is hash-chained to prevent tampering. Audit logs cannot be modified or deleted — even by administrators.

Infrastructure

Database: Supabase (PostgreSQL) hosted on Google Cloud Platform (US regions)
Application: Railway (US) with automated deployments and rollback
CDN: Cloudflare global edge network with DDoS protection and WAF
Media: Cloudinary (image) and Mux (video) with signed URLs
Monitoring: Sentry (error tracking) and PostHog (self-hosted analytics)

Application Security

  • All user input validated server-side — client-side validation is UX only
  • Rate limiting on auth endpoints, search, and API routes
  • Content Security Policy (CSP) headers configured
  • SQL injection prevented via parameterised queries (Supabase client)
  • Dependencies monitored and updated regularly

Insurance & Certifications

Cyber Insurance

Active

$2M coverage

ISO 27001

In progress

Target Q3 2026

SOC 2 Type II

Planned

Target Q4 2026

UK GDPR

Compliant

Full compliance

Report a Vulnerability

See our Vulnerability Disclosure Policy for responsible disclosure guidelines. Contact [email protected].