Security
Effective June 11, 2026Our security commitment
ExhibitStampPro™ processes confidential legal documents. We take security seriously and implement multiple layers of protection. This page describes our current security practices.
Infrastructure
Our application is hosted on Vercel's edge network, which provides DDoS protection, automatic TLS/HTTPS encryption, and infrastructure-level security monitoring. All data is stored on Supabase, which is built on AWS and complies with SOC 2 Type II. Database connections are encrypted in transit using TLS 1.3.
Data encryption
All data in transit is encrypted using TLS 1.3. Documents stored in Supabase Storage are encrypted at rest using AES-256. Authentication tokens are encrypted and stored securely. Webhook secrets and API keys are stored as environment variables — never in code or logs.
Access control
All documents are stored in private storage buckets — not publicly accessible. Row Level Security (RLS) is enforced at the database layer, meaning users can only access their own matters and exhibits. We use Supabase's built-in RLS policies to enforce this at the database level, not just the application layer. Authentication is handled via magic link email (no passwords to compromise) and Google OAuth. Sessions expire after 7 days of inactivity.
Authentication
We use magic link authentication (passwordless email) and Google OAuth. This eliminates the risk of password-based attacks. All authentication events are logged. We plan to support SAML/SSO for enterprise customers.
Audit logging
All significant actions — document uploads, stamp operations, exports, and account changes — are logged with timestamps and user identifiers. Logs are retained for 12 months.
Employee access
Access to production systems is limited to essential personnel. We do not access customer documents except to resolve support issues at your explicit request. All staff with access to production systems are subject to confidentiality agreements.
Vulnerability disclosure
If you discover a security vulnerability in our Service, please report it responsibly to contact@exhibitstamppro.com. We will acknowledge your report within 48 hours and work to resolve confirmed vulnerabilities promptly. We do not pursue legal action against researchers who report vulnerabilities in good faith.
SOC 2 roadmap
We are building toward SOC 2 Type II compliance. Our infrastructure providers (Supabase, Vercel) are already SOC 2 Type II certified. We are implementing the organizational controls, policies, and monitoring required for our own SOC 2 audit. Enterprise customers requiring SOC 2 reports from us may contact contact@exhibitstamppro.com to discuss timeline.
Incident response
In the event of a security incident affecting your data, we will notify affected users within 72 hours of discovery, as required by GDPR. Notification will include the nature of the incident, data affected, and steps taken to address it.
Payment security
We do not store credit card information. All payment processing is handled by Lemon Squeezy, which is PCI DSS compliant. We store only a customer ID reference for subscription management.