Security

All traffic is HTTPS-only with HSTS, a strict CSP, and modern TLS. API calls require the X-API-Key header; we do not accept API keys via query string (avoids leaking into access logs).

• Postgres (Neon): encryption at rest, point-in-time recovery, network isolated.
• Passwords: hashed with a modern KDF (scrypt) by Better Auth — never stored plaintext.
• API keys: hashed at rest; we cannot recover a lost key — you rotate.
• Stripe handles all PCI scope; we never see card numbers.

Production access is limited to founders, enforced via SSO and 2FA on the underlying providers (Vercel, Neon, Stripe). Day-to-day access is read-only; writes go through code review and CI.

We log API requests (timestamp, route, status, duration, key id, user id) for billing and abuse detection, and capture application errors in Sentry. Logs are retained for 90 days.

Per-key per-minute rate limits are enforced on every endpoint; IP-based limits gate anonymous traffic at the edge. Persistent abuse triggers key suspension and account review.

Security incidents follow a documented triage → containment → notification flow. We notify affected customers within 72 hours of confirmed personal-data breach, with the information then known.

Email security@pair.directory with reproduction steps. We commit to acknowledging within 72 hours, won't pursue legal action against good-faith research that respects this policy, and will credit reporters who wish.