Your security is our top priority
We take security seriously at every layer of the stack. Here's how we protect your data and our platform.
Our Security Practices
Encryption at rest & in transit
All data is encrypted at rest using AES-256. All data in transit uses TLS 1.3 or higher. Database backups are encrypted before storage.
SOC 2 Type II compliance
Our infrastructure provider (Supabase) is SOC 2 Type II certified. We are currently undergoing our own SOC 2 audit, expected completion Q4 2026.
Annual penetration testing
We work with independent security firms to conduct annual penetration tests of our platform. Critical findings are resolved within 24 hours.
Access controls
All SnapSkill team members use hardware security keys for authentication. Access to production systems follows the principle of least privilege.
Payment security
We use Stripe for all payment processing. Card numbers are never stored on our servers. Stripe is PCI DSS Level 1 certified.
Vulnerability scanning
Automated dependency scanning and SAST tools run on every code commit. We maintain a sub-48-hour patching SLA for critical CVEs.
Responsible Disclosure
We welcome security researchers who responsibly disclose vulnerabilities to us. If you discover a security issue, please report it privately before disclosing it publicly.
In scope: snapskill.com, api.snapskill.com, admin.snapskill.com, mobile apps.
Out of scope: Social engineering attacks, DDoS, physical security issues.
We commit to acknowledging reports within 48 hours and providing a resolution timeline within 5 business days.
Bug Bounty Program
We offer rewards for valid, responsibly disclosed security vulnerabilities. Bounties are awarded based on severity and impact. Contact us to learn more about the program.
Report a security issue
Found a vulnerability? Please contact us directly at:
security@snapskill.comFor PGP-encrypted reports, our public key is available at snapskill.com/.well-known/security.txt
General Security Questions