Legal

Security

Last updated: April 27, 2026

1. Our Commitment to Security

DropFix takes security seriously. We implement industry-standard measures to protect your data and our infrastructure. This page outlines our security practices, compliance, and how we handle data protection.

2. Infrastructure Security

2.1 Hosting and Infrastructure

  • Application hosted on Fly.io with distributed infrastructure
  • Frontend deployed on Vercel Edge Network
  • Database and authentication via Supabase (SOC 2 compliant)
  • Automatic scaling and load balancing

2.2 Data Encryption

  • All data encrypted in transit using TLS 1.2/1.3
  • Encryption at rest for all stored data
  • Database-level encryption for sensitive fields
  • Secure API communication with certificate pinning

2.3 Network Security

  • Firewall protection and DDoS mitigation
  • Intrusion detection and prevention systems
  • Regular security patching and updates
  • Network segmentation between services

3. Access Controls

  • Multi-factor authentication (MFA) required for all team members
  • Role-based access control (RBAC) for workspace access
  • Principle of least privilege for all system access
  • Regular access reviews and audits
  • Immediate revocation of access upon team member departure
  • API keys with expiring tokens and proper scoping

4. Authentication and Authorization

4.1 User Authentication

Powered by Supabase Auth with secure session management.

4.2 OAuth Security

  • Secure OAuth 2.0 flows for integrations (Stripe, Slack, Gmail)
  • Token storage with encryption at rest
  • Scoped permissions with principle of least privilege
  • Easy revocation of connected integrations

5. SDK and Tracking Security

  • SDK communicates over HTTPS with certificate validation
  • Event data sanitized before transmission
  • No storage of sensitive data in SDK-side caches
  • SDK is hosted on a CDN with security patches applied to new versions. Founders loading the latest SDK automatically receive updates.
  • Rate limiting to prevent abuse of tracking endpoints

6. AI Data Handling

When generating email drafts, only anonymized behavioural signals are sent to Anthropic's Claude API. Personal data (names, emails, phone numbers) is never transmitted to third-party AI providers. This ensures privacy while enabling intelligent automation.

7. Email Security

All outbound emails (digests, dunning, notifications) are sent through Resend, which provides:

  • SPF, DKIM, and DMARC authentication
  • Spam and phishing protection
  • Email deliverability optimization
  • Encryption of email content in transit

8. Payment Security

Payments are processed exclusively through Stripe, a PCI DSS Level 1 certified payment processor. DropFix never stores or handles raw payment card data. All payment information is managed directly by Stripe with full PCI compliance.

9. Compliance

9.1 Data Protection

  • GDPR compliant for EU users
  • DPDP Act compliant for Indian users
  • CCPA compliant for California residents
  • Data Processing Agreement (DPA) available for customers

9.2 Infrastructure Compliance

  • Supabase SOC 2 Type II certified
  • Vercel SOC 2 / SOC 3 compliant
  • Stripe PCI DSS Level 1 compliant
  • Fly.io — secure distributed infrastructure

10. Incident Response

In the event of a security incident or data breach:

  • Automated alerting and monitoring for suspicious activity
  • Dedicated incident response team
  • 72-hour notification to affected users as required by GDPR
  • Post-incident review and remediation
  • Transparent communication with affected parties

11. Data Backup and Recovery

  • Automated daily backups of database
  • Backups retained for 30 days
  • Disaster recovery plan with tested restoration procedures
  • Recovery time objective (RTO) target of under 4 hours
  • Recovery point objective (RPO) of under 24 hours

12. Employee Practices

  • Security training required for all team members
  • Confidentiality agreements in employment contracts
  • Secure development practices and code reviews
  • Access to production systems logged and audited

13. Responsible Disclosure

We welcome security research and responsible disclosure. If you discover a security vulnerability, please contact us at security@dropfix.io. We will work with you to confirm and address the issue promptly.

14. Contact

For security-related questions or to report a vulnerability, please contact us:

DropFix Security Team

Email: security@dropfix.io

Website: dropfix.io