Security

Encryption

Authentication & Access Control

• Magic link authentication (passwordless) with enterprise-grade auth infrastructure
• Google OAuth 2.0 integration for social sign-in
• Optional two-factor authentication (2FA) for admin accounts
• Role-based access control (RBAC) with 6 distinct permission levels
• Session tokens with configurable expiration and automatic rotation
• Admin impersonation with full audit trail logging
• API keys with scoped permissions and rate limiting

Monitoring & Fraud Prevention

• Real-time fraud signal detection for suspicious panelist behavior
• Trust scores calculated from multiple behavioral indicators
• IP-based anomaly detection and geolocation verification
• Comprehensive audit logs for all admin actions
• Kill switches for immediate feature or access revocation
• Automated alerts for unusual login patterns or data access

Infrastructure

• Hosted on Vercel's edge network with automatic failover and DDoS protection
• Managed PostgreSQL database with provider-managed recovery options
• Provider-managed backups (retention varies by hosting tier)
• Content Delivery Network (CDN) for global performance
• Zero-downtime deployments with instant rollback capability

Incident Response

Our incident response process follows industry best practices:

Compliance & Certifications

• Working toward GDPR compliance — see our GDPR page for details
• SOC 2 Type II audit planned (not yet started)
• Working toward PIPEDA compliance (Canadian privacy legislation)
• Third-party penetration testing planned for 2026
• Data Processing Agreement (DPA) template available on request