Security

Security & Responsible Disclosure

We take the security of AwardKit and our customers' programs seriously. If you have found a vulnerability, here is how to report it and what to expect.

How we protect your data

Program managers trust us with their entrants' data. Here are the safeguards built into AwardKit.

Account security

Passwords are hashed and never stored in plain text. Email verification is required, two-factor authentication is available, and sensitive endpoints are rate-limited against brute-force attempts.

Encryption

All traffic is encrypted in transit over HTTPS/TLS, and your data is encrypted at rest in our cloud infrastructure.

Payments

Payments are processed by Stripe, a PCI-DSS Level 1 provider. AwardKit never sees or stores your full card number.

Application safeguards

Secure, HTTP-only session cookies and CSRF protection on authenticated actions. Each organization and program is access-scoped to its authorized members.

For how we collect, use, and let you control your data, see our Privacy Policy.

Where your data lives

We rely on a small set of trusted infrastructure providers to run AwardKit. Each one only receives the data needed to deliver its part of the service.

VercelApplication hosting and delivery
NeonManaged PostgreSQL database
Cloudflare R2File and asset storage
StripePayments (PCI-DSS Level 1)
ResendTransactional email delivery
PostHogProduct analytics
SentryError monitoring

Our commitments

Beyond the technical safeguards, here is how we operate.

You can delete your data at any time

Delete your account or any program from your settings. Your data is removed from our active systems immediately. Encrypted database backups follow our infrastructure providers' standard retention schedules and are typically purged within 30 days, after which deleted data is no longer recoverable.

Limited internal access

Access to production systems and customer data is restricted to authorized personnel, logged, and used only to support customers or investigate incidents.

Incident notification

If a security incident affects your data, we will notify affected customers without undue delay.

Report a vulnerability

Email our security team directly with the details below. This is a dedicated channel for security reports, not a general support inbox.

security@awardkit.io

What to include in a report

We cannot act on vague reports. The more of this you provide, the faster we can validate and fix the issue.

Affected target

The exact URL or endpoint where the issue occurs.

Reproduction

Clear, step-by-step instructions to reproduce it.

Impact

What an attacker could actually do by exploiting it.

Evidence

Proof of concept, screenshots, or sample requests.

In scope

Authentication and authorization flaws
Injection, remote code execution, or data exposure
Issues that let one user access another user or program data
Vulnerabilities in our web application at awardkit.io

Out of scope

Reports with no demonstrated impact or reproduction steps
Automated scanner output without a verified, exploitable finding
Missing best-practice headers with no concrete exploit
Denial-of-service, social engineering, or physical attacks

Responsible disclosure

Please give us a reasonable amount of time to investigate and address an issue before any public disclosure. Do not access, modify, or delete data that is not yours, and do not run denial-of-service or other destructive testing against our systems. Acting in good faith under this policy means we will not pursue legal action related to your research.

We do not currently run a paid bug bounty program. We recognize valid reports with our thanks and, where appropriate, public credit for your responsible disclosure.

Our machine-readable contact information is published at /.well-known/security.txt following RFC 9116.