Security Overview

Last updated: May 28, 2026

This page summarizes Billslash's security posture for prospective customers, partners, and auditors. For a detailed questionnaire response or our latest scan reports, contact security@billslash.app.

1. Program highlights

  • Encryption — TLS 1.2+ in transit; AES-256 at rest across the Lovable Cloud / Supabase / Cloudflare stack.
  • Authentication — email + password and Google SSO. TOTP MFA available to every user, strongly encouraged for admins.
  • Authorization — Row-Level Security on customer-data tables; least-privilege role checks via a SECURITY DEFINER has_role() function.
  • Audit logging — 24-month retention of administrative and sensitive actions, exportable as CSV from the in-app Audit Logs page.
  • Network hardening — HSTS (1 year, preload), Content-Security-Policy, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy locked down by default.
  • Secrets — centralized secret manager; service-role keys never reach the browser bundle; quarterly rotation drill.
  • Vulnerability management — dependency scanning on every push, SAST via CodeQL, monthly DAST, annual third-party penetration test.
  • Incident response — documented IRP with 48-hour customer notification target and 72-hour controller notification (GDPR-aligned).
  • Sub-processors — Lovable Cloud (Supabase), Cloudflare, Stripe, Resend, Sentry.

2. Internal documents

3. Reporting a vulnerability

Email security@billslash.app. We acknowledge reports within two business days and provide a remediation timeline within five. We do not pursue legal action against good-faith researchers who follow coordinated disclosure.