Trust & Safety
Security
How we protect your data and our infrastructure
SwiftGeo handles business data, payment information, and AI scan results. We take security seriously. This page documents our controls so you can make an informed decision about trusting us with your data.
🔐
Authentication
bcrypt password hashing, JWT tokens with 24hr expiry, password reset via time-limited tokens (2hr window)
🌐
Transport
TLS 1.2+ enforced on all connections via Let's Encrypt SSL, Cloudflare edge network, HSTS enabled
🗄️
Infrastructure
DigitalOcean managed PostgreSQL and Redis with private networking, not exposed to public internet
💳
Payments
Stripe handles all card data. We store only a Stripe customer ID. We are PCI compliant by delegation.
Application Security
- Rate limiting on public API endpoints (3 requests/minute per IP on scan endpoints)
- Admin routes protected by Nginx IP allowlist
- Stripe webhook signature verification on all payment events
- No sensitive credentials stored in frontend code or git history
- Environment variables managed via server-side .env, never committed to version control
- Error monitoring via Sentry — exceptions logged without sensitive data
- Uptime monitoring via UptimeRobot with 5-minute check intervals
Data Handling
- Business profile data stored only in your account — never shared or sold
- Scan results cached in Redis with TTL, persisted in PostgreSQL
- No plaintext passwords stored at any layer
- Database backups managed by DigitalOcean with point-in-time recovery
- Data at rest encrypted by DigitalOcean managed database infrastructure
Access Controls
- Server access via SSH key authentication only — no password auth
- No shared credentials — each service uses isolated API keys
- Production containers run as non-root users
- API keys rotated immediately upon any suspected exposure
🔍 Responsible Disclosure
Found a vulnerability? We appreciate responsible disclosure. Email Loading... with details. We'll respond within 48 hours, work to fix confirmed issues promptly, and credit researchers who report valid findings. Please do not publicly disclose vulnerabilities before we've had a chance to address them.
Security questions or concerns? Email Loading...