AffiliateHubPro
← trust center

Defense in depth, by default.

Six layers — data, access, network, application, people, operations — each with independent controls. A failure at one layer doesn't become a breach at the next.

Data

  • AES-256 encryption at rest for the database and object storage.
  • TLS 1.3 in transit; HSTS preload with one-year max-age.
  • Field-level encryption for tax IDs, bank-account last-fours, and webhook secrets.
  • Append-only ledger tables — no in-place updates on financial events.

Access

  • Row-level security policies enforced in Postgres per merchant, affiliate, and admin role.
  • Short-lived service tokens; no long-lived database credentials in application code.
  • SSO + WebAuthn on all employee accounts; no shared logins.
  • Two-person rule for production database access, fully logged.

Network

  • Cloudflare edge with WAF and DDoS protection in front of every request.
  • Strict CORS, signed Stripe & internal webhooks, idempotency keys on every write.
  • Outbound traffic restricted to an allow-list of payment, email, and analytics partners.
  • Per-tenant rate limits to contain runaway integrations.

Application

  • Mandatory code review and CI checks on every change to the ledger and payouts.
  • Dependency scanning (npm audit + supply-chain) on every build.
  • Secrets stored in a managed vault; never committed, never echoed in logs.
  • Pre-deploy security gates: static analysis, type checks, RLS test suite.

People

  • Background checks for engineers with production access.
  • Annual security and privacy training; phishing simulations quarterly.
  • Onboarding & offboarding access checklists with automated revocation.
  • Internal incident response playbook with named on-call rotations.

Operations

  • Append-only audit logs for every actor, action, IP, and timestamp.
  • 13-month log retention; security events forwarded to immutable storage.
  • Point-in-time database recovery up to 7 days; daily offsite backups.
  • Tabletop incident response exercises every quarter.

// vulnerability disclosure

Report a vulnerability. Get a human within one business day.

We operate a coordinated disclosure program. Critical reports trigger an on-call page within 24 hours; standard reports get triage within 3 business days.

security@affiliatehubpro.comsecurity.txt
safe harbor

Good-faith research is welcome.

  • No legal action for research that follows this policy.
  • Do not access or modify other users' data; use your own test accounts.
  • No social engineering, DDoS, or physical attacks against staff or infrastructure.
  • Give us reasonable time to remediate before public disclosure.

// subprocessors

Every vendor that touches your data, in one list.

Subscribe to changes at privacy@affiliatehubpro.com to receive 30-day advance notice on new entries.

VendorPurposeRegion
StripePayments, payouts, Connect KYC, tax formsGlobal
SupabaseManaged Postgres, auth, storageUS / EU
CloudflareEdge network, WAF, DNS, R2 storageGlobal
ResendTransactional email deliveryUS
SentryError monitoring (PII-scrubbed)US / EU

// reliability

Status & uptime.

Live status page, historical incidents, and post-mortems.

status.affiliatehubpro.com
API

99.97%

last 90 days

Webhooks

99.95%

last 90 days

Need a security packet for procurement?

We share our pen-test summary, SOC 2 readiness letter, architecture diagrams, and sample DPA under NDA.

Request packet