Security Overview
Last updated: May 28, 2026
This page summarizes Billslash's security posture for prospective customers, partners, and auditors. For a detailed questionnaire response or our latest scan reports, contact security@billslash.app.
1. Program highlights
- Encryption — TLS 1.2+ in transit; AES-256 at rest across the Lovable Cloud / Supabase / Cloudflare stack.
- Authentication — email + password and Google SSO. TOTP MFA available to every user, strongly encouraged for admins.
- Authorization — Row-Level Security on customer-data tables; least-privilege role checks via a
SECURITY DEFINER has_role()function. - Audit logging — 24-month retention of administrative and sensitive actions, exportable as CSV from the in-app Audit Logs page.
- Network hardening — HSTS (1 year, preload), Content-Security-Policy, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy locked down by default.
- Secrets — centralized secret manager; service-role keys never reach the browser bundle; quarterly rotation drill.
- Vulnerability management — dependency scanning on every push, SAST via CodeQL, monthly DAST, annual third-party penetration test.
- Incident response — documented IRP with 48-hour customer notification target and 72-hour controller notification (GDPR-aligned).
- Sub-processors — Lovable Cloud (Supabase), Cloudflare, Stripe, Resend, Sentry.
2. Internal documents
Incident Response Plan
Severity model, escalation, breach-notification SLAs.
Vulnerability Management Runbook
Scanning cadence, CVSS-based SLAs, exceptions process.
Data Processing Agreement (template)
B2B DPA with SCCs and CCPA terms — ready to sign.
3. Reporting a vulnerability
Email security@billslash.app. We acknowledge reports within two business days and provide a remediation timeline within five. We do not pursue legal action against good-faith researchers who follow coordinated disclosure.