Security
Enterprise-grade security, by default
Foglift is built with a privacy-first architecture. We scan only public URLs, never store credentials, and use industry-standard encryption at every layer.
Security practices
Encryption in Transit & at Rest
All traffic uses TLS 1.3. Database is encrypted at rest with AES-256. API keys are hashed before storage.
No Credential Storage
Foglift never stores your website credentials, passwords, or login tokens. We only scan publicly accessible URLs.
Stripe-Managed Billing
Payment processing is handled entirely by Stripe. Credit card numbers never touch our servers. PCI DSS compliant via Stripe.
Authentication via Supabase
User authentication is powered by Supabase Auth with Row-Level Security (RLS). Every database query is scoped to the authenticated user.
Minimal Data Retention
Scan results are cached for 1 hour, then refreshed on next request. Free-tier scans are not permanently stored. Paid plans retain history per your subscription.
Rate Limiting & Abuse Prevention
IP-based and API-key-based rate limiting prevents abuse. Free tier: 15 scans/day. Paid tiers: generous limits with automatic backoff.
Security Headers
Foglift itself passes its own security checks: HSTS, X-Content-Type-Options, X-Frame-Options, CSP, and Referrer-Policy headers configured.
Open Source Components
Our MCP server and CLI scanner are open source on npm (foglift-mcp, foglift-scan). Inspect the code yourself before installing.
Infrastructure
| Component | Provider |
|---|---|
| Hosting | Vercel (Edge Network) |
| Database | Supabase (PostgreSQL) |
| Payments | Stripe (PCI DSS L1) |
| Resend (SPF/DKIM/DMARC) | |
| DNS/CDN | Vercel Edge + Cloudflare |
| Auth | Supabase Auth (JWT + RLS) |
What we collect (and what we don't)
What we collect
- ✓Public URL and scan results (scores, issues)
- ✓Email address (for account and notifications)
- ✓GEO monitoring prompts you configure
- ✓Usage metrics (scans/day, API calls) for rate limiting
What we never collect
- ✗Website login credentials or passwords
- ✗Credit card numbers (Stripe handles all payment data)
- ✗Private or authenticated page content
- ✗Browser cookies or tracking pixels
Compliance
GDPR
Foglift processes only publicly available website data. For user accounts, you can export or delete your data at any time from Settings. We do not sell or share personal data with third parties.
CCPA
California residents can request data deletion by contacting watson@foglift.io. We do not sell personal information.
SOC 2
Our infrastructure providers (Vercel, Supabase, Stripe) are SOC 2 Type II certified.Foglift inherits these controls for hosting, database, and payment processing.
Responsible disclosure
Found a security vulnerability? We appreciate responsible disclosure. Please email watson@foglift.io with details. We aim to acknowledge reports within 48 hours.
Related reading
Questions about security?
We're happy to discuss our security practices in detail.