Security & Data Handling

CraftyAlpha follows a pragmatic, security-first operating model suitable for independent software products: least privilege by default, production secrets stored in managed environment controls, and clear response processes for incidents.

Infrastructure and access controls

• Production hosting runs on managed infrastructure (Vercel).
• Database and auth services run on managed PostgreSQL/Auth infrastructure (Supabase).
• Administrative access is restricted to allowlisted accounts and authenticated admin routes.
• Service-role credentials are used server-side only and never exposed to client bundles.

Payments and sensitive operations

• Card details are processed by Stripe and not stored by CraftyAlpha.
• Webhook ingestion validates signatures and records audit events for traceability.
• Payment-related event handling is designed to be idempotent to reduce duplicate processing risk.

Monitoring and abuse controls

• Operational status is published at /status.
• Abuse and endpoint-rate controls are applied to sensitive public API routes.
• Security-relevant operational data is logged for investigation and support.

Data handling

Personal data is handled according to the Privacy Policy and related legal pages. Only data needed for product operation, support, and compliance is retained.

Incident response

If a security issue is identified, CraftyAlpha will investigate, contain, remediate, and communicate material updates through appropriate channels, including direct support contact where required.

Security contact

Report suspected security concerns via hello@craftyalpha.com with enough detail to reproduce the issue.