Infrastructure
- Docker containerized deployment via Kamal
- Hetzner EU data centers (Germany)
- TLS/SSL encryption via Let's Encrypt
- Thruster reverse proxy with HTTP caching
- Non-root container execution
Data Encryption
- OAuth tokens encrypted at rest (Active Record Encryption)
- TLS 1.2+ for all data in transit
- bcrypt password hashing with appropriate cost factors
- No plaintext credentials stored anywhere
- Encrypted database backups
Access Controls
- Role-based access (Admin, Manager, Specialist, Viewer)
- Workspace-scoped permissions per client
- Secure session management with expiration
- Team invitation flow with token-based verification
- Audit trail for administrative actions
Application Security
- CSRF protection on all state-changing requests
- SQL injection prevention via parameterized queries
- XSS protection with automatic output escaping
- Content Security Policy headers
- Regular dependency audits (bundler-audit, Brakeman)
Third-Party Security
We integrate with trusted third-party services that maintain their own rigorous security standards:
- Meta APIs — All webhook payloads are verified using signature validation to ensure authenticity
- Stripe — PCI DSS Level 1 certified. We never store, process, or transmit card data on our servers
- MercadoPago — PCI DSS compliant. Payment data is handled entirely by their secure infrastructure
Incident Response
In the event of a security incident:
- Detection — Continuous monitoring and alerting for suspicious activity
- Investigation — Immediate assessment of scope, impact, and root cause
- Notification — Affected customers will be notified within 72 hours, in compliance with GDPR and applicable regulations
- Remediation — Swift action to contain, resolve, and prevent recurrence
Responsible Disclosure
We value the work of security researchers. If you discover a vulnerability in our platform, please report it responsibly. We commit to acknowledging your report within 48 hours and working with you to resolve the issue.