Security

Protecting your data, your account, and your earnings is our top priority. Here's how we keep everything secure.

Encryption in Transit & at Rest

  • All connections use TLS 1.2+ (HTTPS) — data is encrypted between your browser and our servers.
  • Database storage is encrypted at rest using AES-256, the same standard used by banks.
  • Authentication tokens are signed and transmitted only over secure channels.

Authentication & Access Control

  • Passwords are hashed using bcrypt with per-user salts — we never store plaintext passwords.
  • Minimum 8-character passwords with uppercase, lowercase, and number requirements.
  • Session tokens expire automatically and are refreshed via secure middleware.
  • Row-level security (RLS) policies ensure you can only access your own data.

Payment Security

  • All payment processing is handled by Stripe, a PCI DSS Level 1 certified provider.
  • We never see, store, or have access to your credit card number.
  • Stripe handles all sensitive payment data in their secure, audited infrastructure.
  • Subscription management and billing portal are hosted entirely by Stripe.

Your Affiliate Links Are Yours

  • We never modify, redirect, replace, or proxy your affiliate links.
  • Links are stored exactly as you enter them and served directly to your visitors.
  • We have no access to your affiliate accounts or earnings — they go straight to you.

Infrastructure

  • Hosted on Railway with automatic deployments and zero-downtime rollouts.
  • Database hosted on Supabase (built on PostgreSQL) with automated backups.
  • Application and database run in isolated containers with no shared resources.
  • Environment secrets are stored encrypted and never committed to source code.

Data Backup & Recovery

  • Database is backed up automatically on a daily schedule by Supabase.
  • Point-in-time recovery is available, allowing us to restore data to any moment.
  • Your product data can be exported at any time from your dashboard.

Application Security

  • Server-side input validation on all forms and API endpoints.
  • Protection against common web vulnerabilities (XSS, CSRF, SQL injection).
  • Rate limiting on authentication endpoints to prevent brute-force attacks.
  • All third-party dependencies are regularly audited and updated.

Incident Response

  • If we discover a security breach affecting your data, we will notify you within 72 hours.
  • We maintain logging and monitoring to detect and respond to suspicious activity.
  • Security issues can be reported to hello@links.fitness — we take every report seriously.

Found a vulnerability?

If you believe you've found a security issue, please email us at hello@links.fitness. We appreciate responsible disclosure and will respond promptly.