How We Protect Your Data

Infrastructure & Hosting

CertLister runs entirely on Google Cloud Platform — one of the most audited and certified cloud environments in the world. We use no self-managed servers.

• Application layer: Google Cloud Run — fully managed, auto-scaling containers with no persistent server state
• Database: PostgreSQL on Google Cloud SQL — no direct public internet access; connections are private
• File storage: Google Cloud Storage, with files organized by organization ID — your PDFs and design assets are never mixed with another organization's files
• Encryption in transit: All connections use TLS 1.2 or higher. There is no plain-HTTP fallback.
• Encryption at rest: Google Cloud Platform encrypts all stored data at rest by default using AES-256
• Daily backups: Cloud SQL performs automated daily backups. Deleted data may persist in encrypted backups for up to 90 days before being purged.
• Environment isolation: Production and staging environments are fully separate — separate databases, separate storage buckets, separate services

Access & Authentication

Your organization's data is isolated at the database level — every query is scoped to your organization. It is not possible for one organization's account to access another's records.

• Authentication options: email/password (bcrypt-hashed), Google OAuth 2.0, or email OTP for multi-factor authentication
• MFA: Available on all accounts at no extra cost. OTP codes are valid for 10 minutes and single-use.
• Account lockout: Accounts are locked for 15 minutes after 5 consecutive failed login attempts
• Session management: Authentication uses short-lived JWTs. Tokens are blacklisted in Redis on logout — a signed-out session cannot be replayed.
• Role-based access: Within your organization, access is controlled by roles — USER → MANAGER → ADMIN. Users only see what their role permits.
• Bot protection: Cloudflare Turnstile is applied to public-facing forms to block automated abuse

Network & Application Security

• Security headers: All responses include HTTP security headers via Helmet.js — including HSTS, X-Frame-Options, X-Content-Type-Options, and Content Security Policy
• CORS: Cross-origin requests are restricted to app.certlister.com. No other origin can make authenticated API calls.
• Rate limiting: Two-tier system — a global limit of 500 requests per 15 minutes per user, plus stricter limits on authentication endpoints (10 login attempts per 15 minutes)
• Logging: We log errors and significant events for debugging and abuse detection. We do not log request bodies containing personal data. IP addresses are used for rate limiting only and are not stored long-term.

Responsible Disclosure

No system is perfectly secure. If you discover a vulnerability in CertLister, we want to hear from you.

• Contact: security@certlister.com (or support@certlister.com)
• Response time: We review all security reports within 5 business days
• Our ask: Please don't exploit or publicly disclose the vulnerability until we've had a chance to investigate and fix it
• We do not currently operate a bug bounty program

We treat all security reports seriously and will keep you informed as we investigate.