Security | CraftCert

Our security measures

Encryption in transit: all connections to CraftCert use HTTPS/TLS. Data is encrypted between your browser and our servers.
Encryption at rest: database data is encrypted at rest using AES-256 via our hosting provider (Supabase/AWS).
Authentication: user sessions are managed by Supabase Auth with secure, httpOnly cookies. Passwords are hashed using bcrypt.
Row-level security: database access is enforced at the row level — users can only access their own data. Administrative access requires a separate, privileged client.
Rate limiting: API endpoints are protected by rate limiting (via Upstash) to prevent abuse and brute-force attacks.
CSRF protection: mutating API requests are validated against the site origin.
Error monitoring: application errors are tracked via Sentry for rapid incident response. Formulation data is not sent to error tracking.
Webhook verification: Stripe webhook events are verified using signature validation and checked for livemode consistency.

Reporting a vulnerability

If you discover a security vulnerability in CraftCert, please report it responsibly:

Email support@craftcert.co.uk with the subject line “Security Report”.
Include a clear description of the vulnerability and steps to reproduce it.
Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

We take all reports seriously and will acknowledge receipt within 48 hours. We aim to resolve confirmed vulnerabilities within 14 days.

Scope

This policy covers the CraftCert web application at craftcert.co.uk and its API endpoints. Third-party services (Supabase, Stripe, etc.) have their own security policies and are not in scope for CraftCert vulnerability reports.

Contact

For security questions or to report a vulnerability:

support@craftcert.co.uk
Crocker Digital Ltd, Company No. 17008789