Last updated: July 2026
Security
This page describes controls maintained by HuLofton for the HuLofton marketplace. It is not an independent certification.
Account and authentication
- Sign-in via email/password or Google. Sessions are managed by our authentication provider.
- Passwords are hashed by the auth provider and never stored in cleartext.
- OAuth flows use short-lived tokens and same-origin redirect URIs.
Data
- Row-Level Security (RLS) is enabled on user-owned tables. Roles are stored in a dedicated table and checked server-side; roles never live on the profile object.
- Sensitive server keys and webhook signing secrets are stored as encrypted secrets, not in source code.
- Data is transmitted over HTTPS.
Payments
Card data is handled entirely by Stripe. HuLofton never receives full card numbers or CVV. Webhooks are verified with Stripe signatures; duplicate events are ignored idempotently.
AI
AI requests are proxied through a rate-limited, per-user server gateway. See AI Disclaimer.
Report a vulnerability
Please contact us through /support with "security" in the subject. Do not publicly disclose issues before we have had a reasonable chance to fix them.
