Data Security
Encryption everywhere
All connections between your browser and our servers are TLS 1.2+. Database connections, backup transfers, and admin tooling sessions are encrypted end-to-end.
Authentication
We use industry-standard password hashing (bcrypt), brute-force protection on the sign-in endpoint, country-of-new-login alerts, optional "Sign in with Google" and "Sign in with Apple" via OAuth, and short-lived session tokens. Admin accounts require multi-factor authentication.
Role-based access controls
Every API endpoint requires authentication or explicitly allows anonymous access. Admin endpoints require an admin role check at the API layer (not just the UI). Cross-user access is impossible by design — every report and upload row carries an explicit owner_id that the API verifies on every read.
File storage
Inspection PDFs are stored encrypted at rest on Cloudflare R2. We do not store raw PDFs inside the application database. Backups are AES-256 encrypted, transferred over TLS, and purged on a 90-day rolling window.
Payments
Stripe processes every payment in compliance with PCI DSS Level 1. We never see, store, or log your card details. Stripe webhooks are signature-verified server-side. Refunds are processed end-to-end via Stripe.
Audit logging
Every administrative action is appended to an immutable audit log: account deletions, data exports, opt-out toggles, role changes, content deletions. Audit-log entries are tamper-evident and retained for compliance reviews.
Incident response
We monitor production via uptime probes, error-rate tripwires, smoke tests on critical URLs, and nightly database backup health checks. If we discover a breach affecting your data, we will notify you within 72 hours per GDPR Art. 33 timeline expectations, even outside the EU.
Vulnerability reporting
If you discover a security vulnerability, email support@buyersleverage.com with a description and reproduction steps. We do not currently run a paid bug bounty, but we credit responsible disclosures publicly with researcher permission.