HomeLegalSecurity

Security

Last updated: April 24, 2026

Privacy PolicyTerms of ServiceCookie PolicySecurity
Security commitment: Protecting provider data and client information is foundational to ProviderHub. Below is a transparent overview of our controls and how to report a vulnerability.

1. Infrastructure

Hosting

ProviderHub is hosted on Fly.io edge infrastructure across multiple geographic regions, with automatic failover. Database and authentication are powered by Supabase (PostgreSQL on AWS infrastructure in us-east-1). File storage uses Cloudflare R2.

Network

  • All traffic is served over TLS 1.2+ (TLS 1.3 preferred). HTTP connections are permanently redirected to HTTPS.
  • HSTS (HTTP Strict Transport Security) is enforced with a 1-year max-age.
  • DNS is managed through Cloudflare, including DDoS mitigation and WAF.

2. Data Protection

  • Encryption at rest: All database data is encrypted with AES-256 at the storage layer.
  • Encryption in transit: All connections between clients, servers, and third-party services use TLS.
  • Row-Level Security (RLS): Supabase RLS policies ensure users can only access their own data at the database level — not just at the application layer.
  • Payment data: We do not store card numbers or full payment credentials. All payment processing is delegated to Stripe, which is PCI DSS Level 1 certified.

3. Authentication

  • Authentication is provided by Supabase Auth (built on GoTrue). Passwords are hashed with bcrypt.
  • Email + password and OAuth (Google, Apple) sign-in are supported.
  • Session tokens are issued as short-lived JWTs (1 hour) with silent refresh via secure httpOnly cookies.
  • The authentication cookie is scoped to .listdeed.com for SSO across ListDeed products, with SameSite=Lax and Secure flags set in production.
  • MFA (TOTP) is available to all users in account settings.

4. Access Controls

  • ListDeed employees follow a principle of least privilege — access to production data is restricted and audited.
  • Production database direct access requires VPN and approved SSH key authentication.
  • All privileged access is logged and reviewed monthly.

5. Vulnerability Management

Dependency scanning

We run automated dependency audits (npm audit, Dependabot) and patch critical CVEs within 48 hours of disclosure. High-severity vulnerabilities are patched within 7 days.

Code review

All code changes undergo peer review before merging. Security-sensitive changes (auth, payments, data access) require review by a senior engineer.

6. Incident Response

In the event of a confirmed data breach affecting personal data we will notify affected users and relevant supervisory authorities within 72 hours of discovery, as required by applicable law. Notification will include a description of the incident, data categories affected, and steps taken.

7. Responsible Disclosure

We welcome reports from security researchers. If you discover a potential vulnerability in ProviderHub or any ListDeed product, please contact us at security@listdeed.com with:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce (proof-of-concept if possible)
  • Your contact details for follow-up

We ask that you do not publicly disclose the issue until we have had a reasonable opportunity (typically 90 days) to investigate and remediate. We will acknowledge receipt within 2 business days and keep you informed of our progress.

Scope

In-scope assets include any subdomain of listdeed.com, all ProviderHub mobile clients, and all ListDeed APIs. Out of scope: social engineering of employees, physical attacks, and automated scanning that impacts service availability.

8. Bug Bounty

We do not currently operate a formal paid bug bounty program. We do offer public acknowledgment in our security hall of fame for valid, responsibly-disclosed reports of significant findings.

9. Contact

Security reports: security@listdeed.com
PGP key available on request.