Security

1. Encryption in transit

All traffic between your browser and the Service, and between our application components, is encrypted with TLS (HTTPS).

2. Credentials

Passwords are stored only as one-way bcrypt hashes — we cannot read your password, and it is never transmitted or logged in plaintext. Card details are handled entirely by Stripe and never reach our servers. API keys are scoped per account and can be rotated from your profile.

3. Infrastructure

The Service runs on established cloud providers — Vercel (frontend), Railway (API) and Amazon Web Services (database and storage, eu-west-2 London region) — and inherits their physical and network security programs. We keep production access restricted to the personnel who need it.

4. Access controls and monitoring

Application access is role-based (user/admin), every API request is authenticated, and security-relevant events are recorded in audit logs that we retain for 12 months. Administrative access to production systems uses credentialed, least-privilege accounts.

5. Incident response

If a security incident affects personal data, we will notify the competent supervisory authority within 72 hours where required (GDPR art. 33), and affected users without undue delay where the incident is likely to result in a high risk to them or where applicable breach-notification laws require it. See the Privacy Policy.

6. Responsible disclosure

If you believe you have found a security vulnerability in the Service, please report it to privacy@containeer.comwith enough detail to reproduce it. Please do not access other users' data, degrade the Service, or publicly disclose the issue before we have had a reasonable opportunity to fix it. We will acknowledge reports promptly, keep you informed, and will not pursue legal action against good-faith research conducted within these guidelines.