// security
Security at stack4solo
Last updated: May 2026
Your business data and your customers' data are your most valuable assets. We take security seriously — not as a compliance checkbox, but as a core product requirement. Here's exactly what we do to protect it.
Encryption everywhere
All data is encrypted in transit using TLS 1.2+. All data at rest is encrypted by our database provider (AES-256). Backups are encrypted. There is no unencrypted path to any production data.
SOC 2 infrastructure
stack4solo runs on Vercel (hosting) and Supabase (database), both of which maintain SOC 2 Type II compliance. Your data is hosted in secure, audited data centres. We do not run our own physical hardware.
Row-level security
Every table in our database enforces row-level security (RLS) at the PostgreSQL level. A bug in application code cannot expose one tenant's data to another — the database itself enforces isolation. This is not a software guarantee; it's a database guarantee.
Authentication
User authentication is handled by Supabase Auth, which supports magic-link email login and secure session tokens. We never store passwords. Session tokens are short-lived and rotated on sign-in. Admin accounts require email verification.
Access controls
Only core team members have access to production systems. Access is granted on a least-privilege basis — no one has broader access than their role requires. All production access is logged. Service role credentials are never exposed to client-side code.
Dependency security
We keep all dependencies up to date and monitor for known vulnerabilities using automated tooling. We follow security advisories for Next.js, Supabase, and other core dependencies and apply patches promptly.
Backups
Our production database has point-in-time recovery (PITR) enabled, allowing us to restore to any point within the last 7 days. Backups are automated and tested periodically. We target a recovery time objective (RTO) of less than 4 hours.
Incident response
In the event of a security incident, we will notify affected tenants by email within 72 hours of becoming aware, and within 24 hours if payment data may be involved. We will publish a post-incident report for any significant incident affecting customer data.
Compliance frameworks
stack4solo serves tenants in Canada and India. We comply with the following privacy and data protection frameworks:
Personal Information Protection and Electronic Documents Act. Our primary compliance framework for Canadian tenants and their customers.
https://www.priv.gc.caAn Act respecting the protection of personal information in the private sector. Applies to tenants operating in Quebec.
https://www.cai.quebec.caDigital Personal Data Protection Act. Applies to tenants in India and their customers' personal data.
https://www.meity.gov.inWhat we never do
- ✓Sell, rent, or share your data or your customers' data with any third party for advertising
- ✓Store payment card numbers — all payments go through Stripe or Razorpay directly
- ✓Use your customers' contact details for our own marketing
- ✓Grant any employee broader system access than their role requires
- ✓Deploy code to production without a review step
Responsible disclosure
If you discover a security vulnerability in stack4solo, we ask that you report it to us privately before disclosing it publicly. We commit to acknowledging your report within 48 hours, keeping you informed as we investigate, and crediting you in our security acknowledgements if you choose.