Security

All traffic is HTTPS-only with HSTS, a strict CSP, and modern TLS.

• Postgres (Neon): encryption at rest, point-in-time recovery, network isolated.
• Secrets: stored in managed provider environments with limited operator access.

Production access is limited to founders, enforced via SSO and 2FA on the underlying providers. Day-to-day access is read-only; writes go through code review and CI.

We log request metadata for reliability and abuse detection, and capture application errors in Sentry. Logs are retained for 90 days.

IP-based limits gate abusive traffic at the edge. Persistent abuse may be blocked.

Security incidents follow a documented triage → containment → notification flow. We notify affected users within 72 hours of confirmed personal-data breach, with the information then known.

Email security@pair.directory with reproduction steps. We commit to acknowledging within 72 hours, won't pursue legal action against good-faith research that respects this policy, and will credit reporters who wish.