Data in Transit
- All connections use TLS 1.2 or higher (HTTPS)
- HTTP Strict Transport Security (HSTS) enforced
Authentication
- Authentication is handled by Clerk, a trusted third-party identity provider
- Session tokens are cryptographically verified on every request
- Sensitive endpoints are rate-limited
Data Storage
- Calculator inputs are stored locally in your browser (localStorage)
- We do not store your financial projections on our servers
- Payment processing is handled by Stripe; we do not store card details
Third-Party Services
- Clerk — authentication and identity management
- Stripe — payment processing (PCI DSS compliant)
- Resend — transactional email delivery
- Fly.io — application hosting infrastructure
Reporting a Vulnerability
If you discover a security issue, please report it responsibly.