BetterWayIQGet in touch

Security

Security overview.

Defense in depth, tenant isolation enforced at the database level, and a 72-hour incident notification commitment. Donor data is the most sensitive thing customers entrust to us, and we treat it that way.

Defense in depth

Every request goes through HTTPS termination at Vercel's edge, an authenticated middleware layer, row-level-security policies in Postgres, and signed Stripe webhooks. No single layer is the only line of defense.

Tenant isolation by RLS

Every customer's data lives behind row-level-security policies. A bug in application code cannot leak data across tenants — the database enforces isolation independently of the app, in both reads and writes.

72-hour notification

If we identify a security incident affecting your data, we'll notify your admin contact within 72 hours of confirming the incident, with scope, suspected cause, and remediation steps.

Operational specifics

Authentication

Magic-link sign-in via Supabase Auth. Sessions are short-lived JWTs with refresh tokens; password-based auth is not exposed to customers because magic-link flows close the credential-stuffing attack surface entirely.

Encryption

TLS 1.3 in transit. Data at rest is encrypted via Supabase's managed Postgres + Storage encryption (AES-256). Tenant credentials for third-party integrations (Neon API keys, etc.) are encrypted with a separate key per the encryption-at-rest layer.

Service accounts and least privilege

No human operator has direct production database access. Migrations and admin operations route through audited tooling. Vercel + Railway service accounts have scoped permissions that grant only what the deploy pipeline requires.

Logs, audit trail, and PII scrubbing

Application logs route to Vercel and Sentry; donor PII (names, emails, amounts) is scrubbed from error context before any third party sees it. Customer-facing audit logs of dashboard actions live in Postgres and are tenant-scoped.

Backups and recovery

Daily automated backups via Supabase. Point-in-time recovery for paid tiers. Customer data export available on request — full Postgres dump scoped to your tenant — within one business day.

Vendor security

Our infrastructure providers (Vercel, Supabase, Railway, Stripe, Resend, Sentry) all hold SOC 2 Type II reports or equivalent. We're available to walk through our subprocessor list and DPA on request.

Reporting a vulnerability

If you believe you've found a security issue, please email security@betterwayiq.com. We acknowledge receipt within one business day and aim to triage within three business days. We don't currently run a paid bug bounty, but we're happy to credit responsible disclosure publicly with the reporter's permission.

Product-level data handling, retention, and deletion are covered in the Donor Intelligence privacy policy. Brand-level practices are at /privacy.