Security is fundamental to Qualifyr. We handle sensitive client information, booking data, and payment flows — protecting this data is a core responsibility. This page describes our security practices and infrastructure.

Infrastructure

Hosting: The Qualifyr web application is hosted on Vercel, which provides edge deployment, DDoS protection, and automatic SSL/TLS termination.
Database & Auth: Supabase provides our database, authentication, and file storage infrastructure. Supabase runs on AWS with SOC 2 Type II compliance, offering encrypted data at rest (AES-256) and in transit (TLS 1.2+).
Edge Functions: Server-side logic runs on Supabase Edge Functions (Deno runtime) with isolated execution environments.

Data Encryption

In Transit: All data transmitted between your browser and Qualifyr is encrypted using TLS 1.2 or higher. HTTP requests are automatically redirected to HTTPS.
At Rest: Data stored in Supabase is encrypted at rest using AES-256 encryption. Database backups are also encrypted.
Secrets: API keys, database credentials, and other secrets are stored in encrypted environment variables and are never exposed in client-side code.

Authentication

Authentication is managed by Supabase Auth, which supports email/password, magic links, and OAuth providers.
User sessions are managed with secure, HTTP-only cookies with automatic token refresh.
Passwords are hashed using bcrypt with salting before storage — we never store plaintext passwords.
Row Level Security (RLS) policies ensure users can only access their own data.

Payment Security

All payment processing is handled by Paddle, a PCI DSS Level 1 certified Merchant of Record. Qualifyr never collects, stores, or processes credit card numbers or payment card data directly. Paddle manages:

PCI DSS compliant payment processing
Fraud detection and prevention
Card data tokenization
Global tax compliance

For more information on Paddle's security practices, visit Paddle's Security Portal.

Access Controls

Supabase Row Level Security (RLS) is enabled on all tables, ensuring users can only read and write their own data.
Admin access to the Qualifyr dashboard is restricted to authorized personnel only.
API routes validate authentication tokens before processing requests.
Service role keys are server-side only and never exposed to client code.

Sub-Processors

We use the following third-party services to operate Qualifyr. Each handles data as described below:

Provider	Purpose	Data Handled
Supabase	Database, Auth, Storage	User accounts, client data, bookings, files
Paddle	Payment processing	Payment details, billing info, transactions
Vercel	Hosting & deployment	Application code, request logs

Vulnerability Reporting

If you discover a security vulnerability in Qualifyr, please report it responsibly by emailing support@qualifyr.app. We will review your report and respond within a reasonable timeframe. We ask that you do not publicly disclose the vulnerability until we have had a chance to address it.

Incident Response

In the event of a security incident affecting user data, we will:

Investigate and contain the incident promptly
Notify affected users in accordance with applicable data protection laws
Take steps to prevent recurrence and improve our security posture

Contact Us

For security-related inquiries, please contact us at support@qualifyr.app.