Skip to content
GrowhtOS
Sign inGet started free

Security

Last updated: 2026-04-28

We take the security of our customers’ data seriously. This page summarises the measures we have in place and how you can report a vulnerability to us.

1. Data protection

  • All traffic served over HTTPS with HSTS preloaded.
  • OAuth tokens for connected platforms are encrypted at rest using AES-256-GCM.
  • Passwords are hashed with bcrypt (cost factor 12). We never store plaintext passwords.
  • Database connections are TLS-encrypted; backups are encrypted by the provider.
  • Strict Content-Security-Policy and security headers on every response.

2. Application security

  • Server-side authorisation on every protected route, with role-based access for admin features.
  • OAuth state parameters are HMAC-signed with a short TTL to prevent CSRF.
  • Stripe webhooks are verified with signing secrets; idempotent by event ID.
  • Login is rate-limited per IP and email to slow credential-stuffing attempts.
  • Per-plan AI quotas prevent runaway usage.

3. Infrastructure

  • Hosted on managed providers (Vercel, Railway, Supabase, Upstash) that hold SOC 2 / ISO 27001 attestations.
  • Production secrets are stored in encrypted environment-variable stores, never in source.
  • Least-privilege access for staff; production access requires individual accounts.

4. Incident response

If we determine that your data has been compromised, we will notify affected users and, where required, the appropriate supervisory authorities, in line with applicable law.

5. Coordinated disclosure

We welcome reports of security issues from researchers acting in good faith. Please:

  • Email security@growhtos.com with steps to reproduce.
  • Give us a reasonable opportunity to fix the issue before public disclosure.
  • Avoid privacy violations, service disruption, or destruction of data during testing.
  • Do not test against accounts you do not own. Use your own test account.

We commit to acknowledging your report within 3 business days and providing a status update within 14 days. Researchers acting in good faith under this policy will not be subject to legal action by us.

Security | GrowhtOS