§ · Trust · Security

How we keep
your work safe.

EditorOP is indie SaaS, not a Fortune 500 contractor. We don't claim certifications we haven't earned. Below is what is actually true about how we run the service today.

Last updated · May 17, 2026

01Encryption

TLS 1.3 in transit on every endpoint (Cloudflare + Vercel edges). AES-256 at rest in Cloudflare R2 and Supabase Postgres — both are encrypted by default at the storage layer.

02Authentication

JWT bearer tokens signed with HMAC-SHA256, 1-hour TTL. Tokens are short-lived and re-issued on each session refresh. Server endpoints never trust client-supplied identity claims.

03Payments

Dodo Payments is our PCI DSS-compliant merchant of record. Card numbers never touch our infrastructure. Dodo also handles global VAT/GST/sales tax.

04Storage

Cloudflare R2 buckets are private by default. All access goes through presigned URLs with a maximum 1-hour TTL — no long-lived asset links.

05Webhook integrity

All inbound webhooks (payments, etc.) are verified with Standard Webhooks signatures and include 5-minute replay protection on timestamps.

06Rate limiting

Per-IP and per-user limits on hot endpoints (auth, upload, AI analysis, payment) via slowapi. Abuse signals trigger temporary lockouts.

07Prompt-injection defense

User-supplied text is wrapped in XML data fences before being passed to any LLM. Instructions inside user content are not executed by the model.

08SSRF defense

Every outbound URL fetch resolves DNS first and rejects private IP ranges (RFC 1918, localhost, link-local, cloud metadata addresses).

09Dependencies

Quarterly npm audit and pip-audit reviews. Dependabot auto-PRs for security-critical bumps. No SQL injection surface — we use parameterized ORMs (Prisma + SQLAlchemy) throughout.

10Responsible disclosure

Report vulnerabilities to security@editorop.com. We acknowledge within 48 hours, provide a resolution timeline within 7 days, and target coordinated disclosure within 90 days. Valid reports get public credit (with your permission).

Found a vulnerability?

Email security@editorop.com. We respond within 48 hours.

Please include reproduction steps, expected vs. actual behavior, and impact assessment. We don't currently offer monetary bounties but we credit valid reports here (with your permission).

DisclosureWhat we don't claim

  • No SOC 2 audit — we're too small. Pursuing one when revenue justifies it.
  • No HIPAA / BAA. Don't upload PHI to EditorOP.
  • No formal GDPR certification, but we honor data rights globally — see our privacy policy.
EditorOP · Security · 2026