Security

Last updated: 2026-05-12.

Overview

VectorWiz handles customer artwork that's often pre-launch or commercially sensitive. This page describes how we protect it — from the moment you upload a source file through delivery and 90-day retention.

Data in transit

• HTTPS-only: the marketing site, dashboard, and all APIs are served exclusively over TLS 1.2+ with HSTS preload.
• Signed upload URLs: source artwork is uploaded directly to Supabase Storage via short-lived signed PUT URLs we mint server-side. Your file never touches a third-party CDN cache or proxy.
• Signed download URLs: deliverables are served via 60-second signed GET URLs. The underlying storage bucket is private.

Data at rest

• Database: Supabase (Postgres) on AWS US-West-1, AES-256 encryption at rest, automated daily backups with point-in-time recovery.
• File storage: Supabase Storage (S3-compatible), private buckets, AES-256 server-side encryption. Direct public access is disabled at the bucket level.
• Application logs: Server runtime logs (systemd journal + Nginx access logs). PII is excluded from log messages by convention; if you ever spot leakage, email security@vectorwiz.com.

Payments

We use PayPal exclusively for subscriptions, credit packs, and custom invoices. PayPal handles all card data; VectorWiz never sees a customer's card number, CVC, or PayPal password. Webhook events from PayPal are signature-verified server-side before any credit grant or order transition.

Credit ledger integrity

Every credit movement (plan grant, top-up purchase, order debit, refund, expiry, admin adjustment) is appended to an immutable Postgres ledger. The wallet balance is always the sum of that ledger; we never store a denormalized balance that could drift. Admin adjustments are audit-logged with actor identity and reason.

Authentication

• Customer sign-in: passwordless email magic link via NextAuth. No password is stored anywhere in our infrastructure.
• Sessions: server-side, HTTP-only, SameSite=Lax cookies. Session secrets are rotated per environment.
• Role separation: customer, staff, and admin roles are gated at the middleware layer and re-checked in every server action / API route. Cross-role data leaks are unit-tested.

Application security

• CSP + security headers: Content-Security-Policy, HSTS, X-Content-Type-Options, X-Frame-Options=DENY, Referrer-Policy=strict-origin-when-cross-origin, Permissions-Policy are set platform-wide.
• CSRF + replay protection: Next.js server actions use built-in CSRF tokens; pre-account order-review links use HMAC-signed tokens bound to the order id.
• Race-condition hardening: credit debits and order state transitions take a Postgres advisory lock on the organization id before reading balance, eliminating time-of-check/time-of-use overdraws under concurrent submissions.
• Rate limits: order submissions are rate-limited per IP. Webhook endpoints reject any request without a valid provider signature.

Monitoring and incident response

The /api/health endpoint exposes integration readiness for external monitoring. We commit to acknowledging credible security reports within 1 business day and patching exploitable issues within 7 days of confirmation.

Data retention and deletion

Source artwork and deliverables are purged 90 days after order delivery. Account, billing, and ledger records are retained while your account is active and for 7 years after closure for tax and accounting compliance. To request earlier deletion, email privacy@vectorwiz.com.

Reporting a vulnerability

Found something? Email security@vectorwiz.com with steps to reproduce. Please give us a reasonable window to remediate before disclosure. We don't currently run a paid bounty program, but we publicly credit researchers who report in good faith.