Back to Home

Security

How we protect your data and ensure compliance

Security Features

API Key Hashing

All API keys are hashed using bcrypt with 12 salt rounds. We cannot retrieve your original API key - if lost, we generate a new one.

AES-256-GCM Encryption

Stripe restricted keys are encrypted at rest using AES-256-GCM encryption. Keys are never stored in plaintext.

Security Headers

All responses include security headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security (HTTPS only).

Rate Limiting

API endpoints are protected with rate limiting using Upstash Redis (with in-memory fallback) to prevent abuse and DoS attacks.

CORS Protection

Cross-Origin Resource Sharing is strictly controlled with configurable allowed origins to prevent unauthorized access.

Request Size Limits

All API requests are limited to 1MB by default to prevent DoS attacks and resource exhaustion.

PII Scrubbing

Activity logs are automatically sanitized to remove personally identifiable information before storage.

Row Level Security (RLS)

Database tables are protected with Row Level Security policies, ensuring data isolation between merchants.

Stripe Key Security

🔒 Security Guarantee

Vantirs requires restricted API keys only. We never ask for your full Stripe secret key.

Your restricted key can only:

  • Read charges and disputes
  • Write to disputes (submit evidence)
  • Upload files to Stripe

Your restricted key cannot:

  • Access customer data
  • Create or modify charges
  • Access payment methods
  • Modify account settings

Encryption at Rest

All Stripe restricted keys are encrypted using AES-256-GCM before being stored in the database. The encryption key is never stored alongside the encrypted data.

Key Rotation

You can rotate your Stripe key at any time through the onboarding page. The old key is immediately invalidated and removed from our system.

Access Control

Only the service role (backend) can decrypt and use your Stripe key. Frontend applications never have access to decrypted keys.

Database Security

Row Level Security (RLS)

All tables have Row Level Security enabled, ensuring that:

  • Merchants can only access their own data
  • Service role has full access (required for backend operations)
  • Anonymous keys cannot access sensitive data

Function Security

Database functions use SET search_path = public to prevent search path injection attacks.

Connection Security

All database connections use SSL/TLS encryption. Connection strings are stored securely as environment variables.

Webhook Security

Signature Verification

All Stripe webhooks are verified using HMAC-SHA256 signatures. Requests without valid signatures are immediately rejected.

Idempotency

All webhook handlers are idempotent, meaning duplicate events are safely ignored. This prevents double-processing of disputes.

Event Validation

Webhook events are validated against Stripe's API to ensure they're legitimate before processing.

Compliance & Certifications

PCI DSS Compliant (via Stripe's infrastructure)

GDPR Compliant data handling

SOC 2 Type II infrastructure (Supabase)

Regular security audits and penetration testing

Security Best Practices

For Merchants

  • Always use restricted Stripe API keys (never full secret keys)
  • Rotate your API keys regularly
  • Keep your Vantirs API key secure and never share it
  • Monitor your dashboard for suspicious activity
  • Report any security concerns immediately

For Vantirs

  • Regular security audits and penetration testing
  • Automated vulnerability scanning
  • Security incident response plan
  • Regular dependency updates
  • Encrypted backups with secure key management

Questions about security? View Documentation or Setup Guide