1. Our commitment
Security is an engineering requirement at TeamMedia: protections are designed into the platform, reviewed with every change, and documented here so customers and payment partners can evaluate them.
2. Infrastructure
- Hosting on Vercel with TLS 1.2+ enforced for all traffic (HSTS with preload).
- Data stored in Supabase-managed PostgreSQL with encryption at rest provided by the platform.
- Uploads stored in Vercel Blob with validated types and size limits; SVG uploads are rejected to prevent stored-XSS.
- No card data ever touches our infrastructure — payments are processed by PCI-DSS-compliant providers.
3. Application security
- Strict security headers: Content-Security-Policy, HSTS, X-Frame-Options DENY, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
- All public write endpoints validate input with schema validation, enforce length limits and are rate-limited per IP.
- Admin area gated by HMAC-SHA256-signed, HTTP-only, SameSite cookies; login attempts are rate-limited and compared in constant time.
- Server-side price resolution: order amounts are looked up from the catalog on the server, never trusted from the client.
- Structured JSON-LD and user content are serialized with XSS-safe escaping.
4. Access control
Internal access follows least privilege: production secrets live in the hosting provider's encrypted environment configuration, are never committed to source control, and administrative access is limited to named staff with hardware-backed MFA on the underlying accounts.
5. Monitoring and incident response
We monitor availability and error rates and keep server logs for up to 30 days. Suspected incidents follow a written runbook: contain, assess impact, notify affected customers without undue delay (within 72 hours for personal-data breaches per the DPA), remediate and post-mortem.
6. Responsible disclosure
We welcome good-faith security research. Report vulnerabilities to [email protected] with reproduction steps; do not access other users' data, degrade the service, or publicly disclose before we confirm a fix. We commit to acknowledging reports within 72 hours, will not pursue legal action for good-faith research within these rules, and credit researchers who wish to be named. A paid bounty program is planned; rewards are currently discretionary.
7. Contact
Security questions or reports: [email protected].
Write to us and a human will reply within one business day. [email protected]
Legal & policies