Security

Infrastructure Security

Raisolve is built on enterprise-grade cloud infrastructure:

• Hosting: Vercel Edge Network with global CDN and DDoS protection
• Database: Supabase (PostgreSQL) with automatic backups and point-in-time recovery
• Uptime SLA: 99.9% uptime guarantee for Pro and Enterprise plans
• Geographic redundancy: Data replicated across multiple availability zones

Data Encryption

• In transit: TLS 1.3 for all connections. HTTPS enforced everywhere.
• At rest: AES-256 encryption for all stored data
• OAuth tokens: Gmail and Shopify access tokens encrypted with rotating keys — never stored in plaintext
• Passwords: Hashed with bcrypt (minimum 12 rounds). We never store plaintext passwords.

Access Controls

• Row-level security (RLS) enforced at the database level — tenants are strictly isolated
• Multi-factor authentication (MFA) available for all accounts
• Google OAuth for secure, password-free login
• Employee access to production systems requires hardware security keys
• Principle of least privilege applied to all internal systems

Application Security

• OWASP Top 10 mitigations applied across all endpoints
• Input validation and output encoding to prevent XSS and injection attacks
• CSRF protection on all state-changing operations
• Rate limiting on all API endpoints
• Content Security Policy (CSP) headers enforced
• SQL injection prevention via parameterized queries

Compliance

• GDPR compliant (see our GDPR page)
• CCPA compliant for California residents
• Google API Services User Data Policy compliant
• Shopify Partner Program security requirements met
• SOC 2 Type II audit in progress (Q3 2026)
• PCI DSS Level 1 (via Stripe) for payment processing

Third-Party Security

We carefully vet all third-party services:

• Anthropic: Enterprise API with zero data retention for inference. Your emails are not used to train AI models.
• Stripe: PCI DSS Level 1 certified. We never touch your payment card data.
• Supabase: SOC 2 Type II certified.

Monitoring & Incident Response

• 24/7 automated monitoring for anomalous activity
• Security alerts with <5 minute response time
• Incident response plan reviewed quarterly
• GDPR-compliant breach notification within 72 hours
• Post-incident reports published for significant events

Bug Bounty Program

Raisolve operates a responsible disclosure program for security researchers. We believe the security community plays a critical role in keeping our users safe.

Scope

• raisolve.com and all subdomains
• The Raisolve web application and dashboard
• Public-facing APIs

In Scope Vulnerability Types

• Authentication bypass or session hijacking
• Cross-tenant data access (tenant isolation failures)
• SQL injection or remote code execution
• Significant XSS vulnerabilities
• CSRF on sensitive actions
• OAuth token exposure or mishandling

Out of Scope

• Denial of service (DoS/DDoS) attacks
• Social engineering or phishing of Raisolve employees
• Issues in third-party services (Supabase, Stripe, Google)
• Clickjacking on non-sensitive pages
• Rate limiting on non-authentication endpoints

How to Report

We do not take legal action against researchers who act in good faith and follow these guidelines. Please do not access or modify user data, disrupt service availability, or share findings publicly before we have resolved the issue.

We recognize valid reports publicly (with researcher permission) and offer our sincere thanks. We are working toward formal bug bounty rewards in 2026.

Security Updates

We maintain a rigorous patch management process:

• Critical patches applied within 24 hours
• High-severity patches applied within 72 hours
• All dependencies monitored with automated vulnerability scanning
• Regular penetration testing by third-party security firms

Questions

For security questions or to report a vulnerability, contact security@raisolve.com.