Skip to content

Last updated: July 2026

Security

This page describes controls maintained by HuLofton for the HuLofton marketplace. It is not an independent certification.

Account and authentication

  • Sign-in via email/password or Google. Sessions are managed by our authentication provider.
  • Passwords are hashed by the auth provider and never stored in cleartext.
  • OAuth flows use short-lived tokens and same-origin redirect URIs.

Data

  • Row-Level Security (RLS) is enabled on user-owned tables. Roles are stored in a dedicated table and checked server-side; roles never live on the profile object.
  • Sensitive server keys and webhook signing secrets are stored as encrypted secrets, not in source code.
  • Data is transmitted over HTTPS.

Payments

Card data is handled entirely by Stripe. HuLofton never receives full card numbers or CVV. Webhooks are verified with Stripe signatures; duplicate events are ignored idempotently.

AI

AI requests are proxied through a rate-limited, per-user server gateway. See AI Disclaimer.

Report a vulnerability

Please contact us through /support with "security" in the subject. Do not publicly disclose issues before we have had a reasonable chance to fix them.