Security

• Magic link via email — links expire in 10 minutes and are single-use. Sent from noreply@web-down.com through Resend with SPF, DKIM, and DMARC aligned on the sending domain.
• GitHub OAuth and Google OAuth — minimum scopes (read:user, user:email for GitHub; openid profile email for Google).
• Account linking— magic link and OAuth on the same email auto-link to one account, so you can't accidentally end up with two duplicate accounts.
• Sessions— managed by Better Auth, stored as HTTP-only Secure SameSite=Lax cookies. No client-side token storage, so XSS can't steal a session.
• No password reuse risk— because we don't accept passwords. If your email or OAuth account is compromised, that's a problem upstream of us; we don't store credentials that could be re-played anywhere else.

• No IP addresses logged. For free-tier rate limiting we salt-and-hash an IP-prefix with the current hour; the hash is one-way and discarded after 60 minutes. Nothing in our database can be reversed to identify a free-tier visitor.
• No tracker pixels. Self-hosted Umami is the only analytics, opt-in via the GDPR cookie consent. No Google Analytics, no Facebook Pixel, no Hotjar, no LinkedIn Insight tag. Ever.
• Data location. Convex is our database (US-hosted, encrypted at rest by the provider). Polar.sh holds payment data (PCI scope, EU regulated). The Next.js + monitoring workers run on a Hostinger VPS in Belgium.
• Encryption in transit. TLS 1.2+ on every public hostname (web-down.com, admin.web-down.com), Let's Encrypt certs renewed automatically via Traefik. HSTS preloaded.
• Retention.Per-check history retained 30 days. Daily aggregate metrics retained indefinitely (small per-row footprint, useful for trend analysis). Account deletion fully purges monitors, results, incidents, AI reports, anomalies, and subscriptions — runs synchronously when you click “Delete account” in settings.
• No third-party data sale. We don't share, sell, or rent data to anyone. Subprocessors listed below are operationally necessary and named explicitly.

Adding a subprocessor materially increases our data exposure, so we notify in the dashboard and via email at least 14 days before activation when one is added. You can cancel before the change takes effect.

• Reverse proxy. Traefik terminates TLS and routes to two Next.js + worker containers (web-down-app, web-down-monitoring-worker), no direct VPS port exposure besides 80/443.
• Admin surface isolation. admin.web-down.com is a separate subdomain. Middleware redirects every non-admin path on that host back to the main site, marks every admin response X-Robots-Tag: noindex, nofollow, and the admin pages themselves enforce a three-layer auth gate (env var allowlist + Better Auth session check + Convex query-level re-check).
• Single-operator access. One person (flndrn) holds production credentials. No shared admin accounts, no contractor logins, no support staff with database access. Reduces blast radius of any one credential compromise.
• Backups. Convex provides point-in-time recovery for the database. The VPS runs daily Hostinger snapshots. Both are tested by spinning up restores quarterly (next scheduled: Q3 2026).
• Dependency hygiene.npm audit + Renovate-style review on a 14-day cadence. We don't pin@latest on direct deps; lockfile is committed and reviewed on each change.

• GDPR. Operated under Belgian/EU jurisdiction. Lawful bases: contract (paid accounts), consent (analytics, marketing), legitimate interest (free-tier abuse prevention via rate-limited IP hashes). Data subject rights (access, rectification, erasure, portability, restriction) are honored — see Privacy Policy for the formal flow.
• EU VAT directive.Polar.sh handles the billing side as our merchant of record — VAT calculated and remitted per the customer's billing country, with a valid invoice issued for every charge.
• KYC for paid customers. Billing address, date of birth, and country of birth are collected on settings — required for EU customer-identification rules. Stored in the same database as account data, accessed only by the operator, never used for marketing.
• No US-style data export. Customer support and account operations stay in the EU. Convex (database) is the one US-hosted subprocessor; we're evaluating its EU regional offering as it matures.

• In scope: web-down.com, admin.web-down.com, the Convex backend, monitor worker, public APIs.
• Out of scope: third-party services we use (report directly to them), denial-of-service attacks, social engineering of the operator, physical attacks on data-center hardware.
• How to report: use the contact form with subject tag #bugand “security” in the message. We'll acknowledge within two business days, work with you on a fix, and credit you in the release notes if you'd like.
• Bounty program:we don't run a paid bounty program at this stage of the business — we're a single operator without budget for it. We'll send a sincere thank-you, public credit, and a free year of Pro for material findings. As revenue grows we'll formalize this with a real bounty schedule.
• Safe-harbour.Good-faith security research that respects scope and doesn't access user data beyond what's needed to demonstrate the issue will not be pursued legally. If a finding requires touching user data, stop and ask first.