Security

How we protect your data and how to report a vulnerability.

Our Commitment

Security is foundational to FineProof. We handle sensitive business and employee data on behalf of our customers, and we take that responsibility seriously. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+), hosted on SOC 2 certified infrastructure (Supabase/AWS, Netlify), and protected by strict access controls.

Responsible Disclosure Policy

We welcome reports from security researchers and the broader community. If you discover a vulnerability in FineProof, we ask that you disclose it to us responsibly before making it public.

To report a vulnerability: Email us at hello@fineproof.io with the subject line "Security Vulnerability Report". We will acknowledge your report within 48 hours and provide a resolution timeline.

What to Include in Your Report

A clear description of the vulnerability
Steps to reproduce the issue
The potential impact you believe it could have
Any supporting screenshots or proof-of-concept code

Our Commitments to You

We will acknowledge your report within 48 hours
We will investigate and keep you informed of our progress
We will remediate confirmed critical vulnerabilities within 48 hours
We will not take legal action against researchers acting in good faith
We will credit you for your discovery if you wish (with your permission)

Scope

The following are in scope for responsible disclosure:

fineproof.io and all subdomains
FineProof application and API endpoints
Authentication and authorization mechanisms
Data exposure or privacy vulnerabilities

The following are out of scope:

Denial of service attacks
Social engineering of FineProof staff
Physical security attacks
Vulnerabilities in third-party services (Supabase, Netlify, Stripe)

Contact

Report a vulnerability or ask a security question

hello@fineproof.io

For general privacy questions, see our Privacy Policy.