Security
Security is built into every layer of ChurnBurn — not bolted on afterwards. Here's exactly what we do to keep your data safe.
Data in Transit
- All traffic encrypted via TLS 1.2+
- HTTPS enforced on every endpoint
- Strict Content Security Policy headers
- HSTS, X-Content-Type-Options, and Referrer-Policy headers
Data at Rest
- Database encryption at rest
- Passwords hashed with bcrypt
- API keys stored as hashed values, never in plaintext
- Secure data deletion upon account termination
Access Control
- JWT-based authentication with short-lived tokens
- Role-based access control (user / admin)
- Automated token expiry and session invalidation
- API key scoping per integration
Infrastructure
- Hosted on EU-region infrastructure
- Rate limiting and slow-down middleware on all endpoints
- Strict CORS allowlist — only approved origins accepted
- DDoS protection at the network layer
Application Security
- Input validation and sanitisation on all API endpoints
- SQL injection protection via parameterised queries (Sequelize ORM)
- X-Powered-By header suppressed
- Helmet.js security headers on every response
Data Privacy & GDPR
- GDPR-compliant data processing with full DPA available
- Client data never used to train models for other clients
- Data deletion on request or account termination
- Cookie consent management with granular controls
Payments
- All payments processed by Stripe (PCI DSS Level 1)
- No card data ever touches ChurnBurn servers
- Stripe webhook signatures verified on every event
Incident Response
- Security issues can be reported to legal@churnburn.io
- We aim to acknowledge all security reports within 24 hours
- Data breach notification within 72 hours as required by GDPR Art. 33
Questions about security?
We're happy to answer any questions or provide our full Data Processing Agreement.