Infrastructure
Hosted on AWS in eu-central-1 (Frankfurt). Compute runs in a private VPC; database access is restricted to application security groups only. Backups are encrypted with AES-256 and retained for 30 days.
Encryption
- TLS 1.3 minimum for all traffic.
- AES-256 for data at rest.
- Passwords hashed with Argon2id, never reversible.
- Bearer tokens stored as one-way hashes server-side.
Access control
- Mandatory hardware-key 2FA for all employees.
- Production database access limited to two senior engineers, audited monthly.
- No shared accounts. No master passwords. Every action is traceable to an individual.
Application security
- All input validated server-side with VineJS.
- Parameterized queries everywhere (Lucid ORM). No string-built SQL.
- Rate limiting on auth, signup, conversion, and webhook endpoints.
- CSP, HSTS, X-Frame-Options, and Referrer-Policy headers set across the platform.
Audits + testing
Independent penetration test annually. Dependabot + Snyk run continuously and any high-severity finding blocks deploy. SOC 2 Type II in progress, expected Q3 2026.
Responsible disclosure
Found something? Email security@saasboost.app with reproduction steps. We acknowledge within 24 hours and aim to resolve critical issues within 7 days. We pay bounties from €100 to €5,000 depending on severity. We will never threaten or pursue researchers acting in good faith.
Out of scope
- Social engineering of staff or customers.
- Physical attacks against our offices.
- Denial of service attacks.
- Spam, brute force without an actual vulnerability.
PGP key
For sensitive reports, encrypt with our PGP key (fingerprint 4F1A 8E2B 9C3D 6E5F 7A2B 8C4D 1E3F 5A6B 7C8D 9E0F). Available at /.well-known/security.txt.