Security
How we protect your data and the Qualifyr platform.
Security is fundamental to Qualifyr. We handle sensitive client information, booking data, and payment flows — protecting this data is a core responsibility. This page describes our security practices and infrastructure.
Infrastructure
- Hosting: The Qualifyr web application is hosted on Vercel, which provides edge deployment, DDoS protection, and automatic SSL/TLS termination.
- Database & Auth: Supabase provides our database, authentication, and file storage infrastructure. Supabase runs on AWS with SOC 2 Type II compliance, offering encrypted data at rest (AES-256) and in transit (TLS 1.2+).
- Edge Functions: Server-side logic runs on Supabase Edge Functions (Deno runtime) with isolated execution environments.
Data Encryption
- In Transit: All data transmitted between your browser and Qualifyr is encrypted using TLS 1.2 or higher. HTTP requests are automatically redirected to HTTPS.
- At Rest: Data stored in Supabase is encrypted at rest using AES-256 encryption. Database backups are also encrypted.
- Secrets: API keys, database credentials, and other secrets are stored in encrypted environment variables and are never exposed in client-side code.
Authentication
- Authentication is managed by Supabase Auth, which supports email/password, magic links, and OAuth providers.
- User sessions are managed with secure, HTTP-only cookies with automatic token refresh.
- Passwords are hashed using bcrypt with salting before storage — we never store plaintext passwords.
- Row Level Security (RLS) policies ensure users can only access their own data.
Payment Security
All payment processing is handled by Paddle, a PCI DSS Level 1 certified Merchant of Record. Qualifyr never collects, stores, or processes credit card numbers or payment card data directly. Paddle manages:
- PCI DSS compliant payment processing
- Fraud detection and prevention
- Card data tokenization
- Global tax compliance
For more information on Paddle's security practices, visit Paddle's Security Portal.
Access Controls
- Supabase Row Level Security (RLS) is enabled on all tables, ensuring users can only read and write their own data.
- Admin access to the Qualifyr dashboard is restricted to authorized personnel only.
- API routes validate authentication tokens before processing requests.
- Service role keys are server-side only and never exposed to client code.
Sub-Processors
We use the following third-party services to operate Qualifyr. Each handles data as described below:
| Provider | Purpose | Data Handled |
|---|---|---|
| Supabase | Database, Auth, Storage | User accounts, client data, bookings, files |
| Paddle | Payment processing | Payment details, billing info, transactions |
| Vercel | Hosting & deployment | Application code, request logs |
Vulnerability Reporting
If you discover a security vulnerability in Qualifyr, please report it responsibly by emailing support@qualifyr.app. We will review your report and respond within a reasonable timeframe. We ask that you do not publicly disclose the vulnerability until we have had a chance to address it.
Incident Response
In the event of a security incident affecting user data, we will:
- Investigate and contain the incident promptly
- Notify affected users in accordance with applicable data protection laws
- Take steps to prevent recurrence and improve our security posture
Contact Us
For security-related inquiries, please contact us at support@qualifyr.app.