True MarginBack

Security

Last updated: April 23, 2026

True Margin is built and operated by a small team with a deliberate security posture: defense-in-depth over ceremony, fewer moving parts, and an independent code review on the books. This page is a living summary — if a customer or partner needs additional detail, write us at security@truemargin.ai.

Data in transit

  • All traffic to True Margin is TLS 1.2+ encrypted. HTTP is redirected to HTTPS.
  • HSTS enabled with a one-year max-age and includeSubDomains; preload.
  • Strict Content Security Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, and referrer/permissions policies applied on every response.

Data at rest

  • Database (Neon Postgres) — AES-256 at rest, regional isolation, point-in-time recovery within the active branch window.
  • Passwords hashed with bcrypt at cost factor 10; never stored in plaintext or recoverable.
  • API keys, OAuth refresh tokens, and third-party credentials stored as encrypted columns in the database (lib/security/encryption.ts) keyed off an environment secret.
  • Environment secrets held in Vercel's write-only encrypted store; not retrievable after write.

Authentication

  • NextAuth with email + password (bcrypt) or Google OAuth.
  • Session tokens are HMAC-signed JWTs verified with constant-time comparison.
  • Two-factor authentication available for every account.
  • Device verification challenges on new-device sign-ins.
  • Signup anti-abuse: one new account per IP per 24h, rate-limited login endpoint.

Destructive operations

  • Database-level BEFORE DELETE triggers refuse deletes on user, settings, and subscription tables unless a single-transaction unlock flag is set.
  • Heroku-style confirm-email gate on every reset script (typed-email match required).
  • Hardcoded blocklist protects paying customer accounts from accidental reset even with full database access.
  • Every deleted row is copied to an archive table in the same transaction — nothing is lost without a recovery path.

Infrastructure

  • Hosting: Vercel (US-East).
  • Database: Neon Postgres (US-East) with branch-per-deploy for safe migrations.
  • Email: Resend (transactional only — no marketing from the app).
  • Billing: Stripe. Card data never touches our servers; we receive signed webhooks verified with Stripe's signature API.
  • AI providers: Anthropic and OpenAI for content generation; inputs are account-scoped, outputs are stored per-user.
  • Error monitoring: Sentry (optional, opt-in per-environment).

Subprocessors

We rely on the following third-party services to operate True Margin:

  • Vercel — application hosting
  • Neon — Postgres database
  • Stripe — payments
  • Resend — transactional email
  • Anthropic — AI content generation
  • OpenAI — AI content generation
  • Sentry — runtime error monitoring (optional)
  • Google — Search Console / Analytics data (read-only, user-authorized)

Code & dependencies

  • Every pull request is scanned for static-analysis issues (Semgrep), committed secrets (Gitleaks), and dependency vulnerabilities (Trivy + npm audit) before it can merge.
  • Critical and high-severity findings block the merge; moderate are logged and triaged weekly.
  • SSRF-safe URL validation on every external-URL endpoint (site crawl, CMS test, competitor scanner).
  • User-supplied HTML is sanitized with DOMPurify before rendering.

What we don't have yet

We believe in being explicit about what's done and what's planned. Today:

  • SOC 2 Type II is on the roadmap for 2027; we are not certified today.
  • We do not run a public bug bounty program. Responsible disclosures go to security@truemargin.ai and are acknowledged within 48 hours.
  • No single-sign-on (SAML / SCIM) at this time.

Incident response

  • Runtime errors alert the on-call channel within minutes via Sentry.
  • Security incidents affecting customer data will be disclosed to affected accounts within 72 hours of confirmation.
  • Post-incident writeups are shared with any enterprise customer who requests one.
  • Contact: security@truemargin.ai (monitored 9am–9pm ET weekdays; after-hours goes through the founder).

Responsible disclosure

If you believe you've found a security vulnerability, please email security@truemargin.ai with steps to reproduce. Do not publicly disclose the issue until we have confirmed a fix. We will acknowledge receipt within 48 hours and keep you updated through remediation. We do not currently offer bounty payments, but we will publicly credit reporters who request it.