ChoiceIdentity
Sign in
Trust & Safety

Security, end to end.

How ChoiceIdentity protects the platform that protects you — infrastructure, application, operations, and the posture we are building toward.

RLS enforced
Every table, no exceptions
256-bit encryption
At rest and in transit
Audit logs
Every sensitive action
Defense in depth

Six layers, working together

Credit and identity data deserve more than a single lock. Each layer is designed to fail safely — if one is compromised, the others still hold.

Infrastructure

Deployed on Vercel with a managed Postgres backend. Every request terminates at a TLS 1.2+ edge. Secrets live in Vercel env vars and are never in the repo.

Application

Row-level security on every table, CSRF via SameSite cookies, XSS protections via React escaping and a strict CSP, and server-side Stripe webhook signature verification on every webhook event.

Abuse & rate limits

Per-user and per-IP rate limits on sensitive endpoints. Anomalous call patterns trigger auto-suspension rules. Every API call is audit-logged for post-hoc review.

Monitoring

Uptime monitoring, error aggregation, and audit-log surfacing in the admin panel. Any auth anomaly (new device, unusual geo, rapid token refresh) flags for review.

Access control

Admin roles are split: super_admin, finance, and support — each scoped to what they need. Every administrative action writes an audit-log entry with actor, resource, and metadata.

Incident response

Documented internal runbook for suspected incidents — containment, investigation, and communication to affected members. We commit to timely, factual disclosure when it matters.

Where we're headed

Security roadmap

SOC 2 alignment

We are not SOC 2 certified today, but the operational controls — access reviews, audit logging, incident response, change management — are designed against SOC 2 Type II criteria. A formal audit is on the roadmap as the member base grows.

Penetration testing

Third-party penetration testing on a regular cadence, with findings tracked publicly at a summary level (no-spec disclosures only).

Responsible disclosure

If you believe you have found a security issue, please email support@choiceidentity.com with the subject line “Security Disclosure” and a short description. Do not publicly disclose until we have had a chance to respond and remediate — we commit to acknowledgement within 2 business days and status updates as we investigate.

Formal bug bounty

A formal bounty program is planned as we grow. Until then we respond to responsibly-disclosed findings with gratitude and (where appropriate) acknowledgement.

Found something?

We take every report seriously. Email us with the subject line “Security Disclosure” and we will get back to you quickly.

Email securitySee Data Safety
Security — ChoiceIdentity