We take the security of your data and your users' data seriously. Here's exactly how we protect it.
Encryption in transit
All data between your browser, our servers, and embedded widgets is transmitted over TLS 1.3. HTTPS is enforced everywhere — no unencrypted connections are accepted.
Encryption at rest
All database data is encrypted at rest using AES-256 via Supabase (PostgreSQL) managed infrastructure. Backups are encrypted with the same standard.
No tracking or ad use
We do not sell your data. We do not share it with advertisers. Testimonials and user data are used exclusively to power your ShipPulse project — nothing else.
Authentication security
Magic link authentication means no passwords to breach. OAuth providers (Google, GitHub) are supported. Sessions use short-lived JWTs with secure httpOnly cookies.
API key isolation
Each project has its own API key with scoped permissions. Keys are hashed before storage. Webhook payloads are signed with HMAC-SHA256 so you can verify authenticity.
Responsible disclosure
Found a vulnerability? Please disclose it responsibly. We commit to acknowledging your report within 48 hours and keeping you updated throughout resolution.
GDPR
We are GDPR-compliant. Data is processed on the legal basis of contract performance. You can export or delete all your data at any time from your account settings.
Data residency
All data is stored in the EU (Frankfurt, Germany) on Supabase infrastructure. We do not transfer personal data outside the EEA without appropriate safeguards.
Data processor
ShipPulse acts as a data processor when processing testimonials submitted by your users. A Data Processing Agreement (DPA) is available for all paid plans.
Sub-processors
We maintain a public list of all sub-processors (Supabase, Contabo, Resend, Lemon Squeezy, xAI, OpenAI, Axiom, DeepL). Changes are communicated 14 days in advance.
| Component | Provider | Location |
|---|---|---|
| Web app & API | Contabo VPS (Docker, Nginx) | EU (Germany) |
| Database (PostgreSQL) | Supabase | EU (Frankfurt) |
| Email delivery | Resend | EU routing |
| Widget serving | Nginx (same server) | EU (Germany) |
| Rate limiting | In-memory (Upstash in v2) | — |
| Billing | Lemon Squeezy | US (Stripe-backed) |
| Logs & observability | Axiom | EU region |
| AI features | xAI (Grok) | US |
If you've discovered a security vulnerability, please email us at [email protected] instead of opening a public issue. We'll acknowledge your report within 48 hours and work with you to resolve it promptly. We appreciate responsible disclosure and will credit researchers who help us keep ShipPulse secure.
Report a vulnerability