Security

1. Account security

1.1 Authentication

• Authentication handled by Clerk — SOC 2 Type II certified
• Passwords are never stored in plaintext — Clerk uses bcrypt-equivalent hashing with per-user salts
• Optional sign-in via Google or Apple SSO (managed by Clerk)
• Phone-number verification required at signup — anti-fraud + one-account-per-person enforcement

1.2 Multi-factor authentication (MFA)

• SMS-based MFA available to all users
• Authenticator app (TOTP) MFA available — recommended for paid plans
• Passkey support via Clerk for password-less sign-in
• Backup codes for account recovery (generated when MFA is enabled)

1.3 Session management

• Maximum 3 concurrent sessions per user (Pro) / 2 sessions (Base) / 1 session (free)
• Session inactivity timeout: 7 days
• New device login invalidates the oldest session if at limit
• You can review and revoke active sessions in your account settings
• Session anomaly detection (2+ countries simultaneously) — triggers email alert (on the roadmap)

1.4 Bot protection

• Cloudflare Turnstile CAPTCHA on signup and password-reset flows
• Disposable / temporary email domains flagged at signup (80+ blocklisted domains)
• IP-based rate limiting on AI queries, bet tracker writes, and contact forms (Upstash Redis)

2. Payment security

• All payment processing handled by Stripe — PCI-DSS Level 1 certified (highest tier)
• KiqIQ never sees raw card numbers — Stripe tokenises card details client-side
• 3D Secure 2 (SCA) enforced for European cards under PSD2
• Stripe Radar fraud rules block high-risk transactions automatically
• Customer Portal for self-service billing, invoice history, payment-method updates, cancellation
• Stripe-managed VAT calculation for EU/UK customers (Stripe Tax)

3. Data security

3.1 Encryption

• In transit: HTTPS / TLS 1.2+ enforced across the entire site (Vercel-managed certificates)
• At rest: AES-256 encryption on all database storage (Supabase + Clerk + Stripe)
• Backups: Daily automated backups with same-region encrypted storage

3.2 Data residency

• EU users: Supabase database hosted in Frankfurt (EU region)
• EU users: PostHog analytics hosted in Frankfurt (EU region)
• EU users: Sentry error monitoring hosted in Frankfurt (EU region)
• Cross-border transfers (where required) governed by EU-US Data Privacy Framework, EU SCCs, UK IDTA — see Privacy Policy

3.3 Access controls

• Principle of least privilege: KiqIQ team members have access only to the systems needed for their role
• Database access via service role keys never exposed to the client
• Row Level Security (RLS) enforced on all user-owned tables
• Admin actions logged with timestamps and user attribution
• Production access requires MFA

3.4 PII filtering

• Sentry error reports: PII scrubbed via server-side scrubbing rules before transmission
• Server logs: 90-day retention max, then auto-deleted
• AI chat history: encrypted at rest; deletable by user via account settings

4. Infrastructure security

4.1 Hosting and edge security

• Vercel hosting with global CDN — DDoS mitigation included
• Cloudflare in front of critical endpoints (planned)
• Auto-scaling reduces single-point-of-failure risk
• Production deployments require code review + automated test pass

4.2 Secrets management

• Environment variables managed via Vercel encrypted env store
• Secrets never committed to the git repository
• Secret rotation policy: API keys rotated annually, on team change, or on suspected compromise
• Stripe and Clerk webhook signatures verified on every request — replay attack prevented

4.3 Subprocessor security

Every third-party processor KiqIQ uses has executed a Data Processing Agreement (DPA) with appropriate technical and organisational measures. See kiqiq.com/subprocessors for the complete list. Each processor maintains independent SOC 2 / ISO 27001 / PCI-DSS audits.

5. Application security

• Strict Content Security Policy (CSP) headers limit script execution
• HTTP Strict Transport Security (HSTS) prevents downgrade attacks
• X-Frame-Options prevents clickjacking
• SameSite cookies prevent CSRF
• Input validation on all user-facing forms with server-side sanitisation
• SQL injection prevented via Supabase parameterised queries (no raw SQL with user input)
• Output escaping handled automatically by React
• Dependency vulnerabilities scanned via GitHub Dependabot — auto-PRs for security patches

6. Responsible disclosure programme

We welcome security researchers reporting vulnerabilities responsibly.

6.1 In scope

• kiqiq.com and any subdomain (auth.kiqiq.com, api.kiqiq.com, etc.)
• Account takeover, privilege escalation, data exfiltration, payment-related vulnerabilities
• Webhook signature bypass, rate-limit bypass, RLS bypass

6.2 Out of scope

• Vulnerabilities in third-party services we use (report directly to that vendor)
• Denial-of-service attacks, brute-force attempts, or social engineering of staff
• Self-XSS or attacks requiring physical device access
• Missing security headers without demonstrable impact

6.3 How to report

• Email security@kiqiq.com with details
• Provide reproduction steps, affected URLs, and any proof-of-concept code
• Allow up to 90 days for remediation before public disclosure
• We will acknowledge your report within 5 business days

6.4 Recognition

KiqIQ does not currently run a paid bug bounty programme but commits to:

• Public acknowledgement of researchers who help us (with consent)
• Hall-of-Fame page on this site (planned)
• Pro plan credit (1 year) for severity-medium-or-above confirmed reports
• No legal action against good-faith research that follows this disclosure policy

7. Incident response

If a personal data breach occurs:

1. T+0 to T+4h: Detection (Sentry alerts + log review). Containment.
2. T+4h to T+12h: Severity assessment. Affected user count.
3. T+72h max: Notify supervisory authority (UK ICO, EU lead authority) where required by law.
4. Without undue delay: Notify affected users with breach summary, mitigations, and next steps.
5. Within 7 days: Internal post-mortem and remediations.

Full breach response runbook lives in our internal documentation. The DPA tracker at /subprocessors is the public source of truth for who processes what data on our behalf.

8. Compliance certifications and audits

• Stripe (payments): PCI-DSS Level 1, SOC 1 Type 2, SOC 2 Type 2, ISO 27001
• Clerk (auth): SOC 2 Type II
• Supabase (database): SOC 2 Type II, HIPAA
• Vercel (hosting): SOC 2 Type II
• OpenAI (AI): SOC 2 Type II, ISO 27001
• PostHog (analytics): SOC 2 Type II
• Sentry (errors): SOC 2 Type II, ISO 27001

KiqIQ does not currently hold a direct SOC 2 audit. Our entire stack is built on SOC 2-audited providers, which means the underlying infrastructure already meets that standard. A direct KiqIQ SOC 2 audit is on the Phase 4 roadmap if customer demand justifies the cost.

9. Account security recommendations for users

• Enable MFA on your KiqIQ account
• Use a unique password (not reused from another site)
• Sign out of shared devices after use
• Review active sessions in your account settings periodically
• Report suspicious account activity immediately to security@kiqiq.com
• Use a hardware security key (YubiKey, etc.) if available — strongest second factor

10. Contact

• Security reports / vulnerability disclosure: security@kiqiq.com
• Privacy / data subject rights: privacy@kiqiq.com
• General support: hello@kiqiq.com