← Back to Bounder

Security at Bounder

When you upload a document to Bounder, you trust us with your content. We take that seriously. Our security controls are designed and operated in alignment with industry standards so your data stays protected at every layer.

SOC 2 Trust Service Criteria Alignment

Our security program is built around the AICPA SOC 2 Trust Service Criteria framework. The controls described on this page map directly to SOC 2 categories — Security, Availability, Confidentiality, Processing Integrity, and Privacy. We are actively working toward formal SOC 2 Type II certification.

Security Controls

Each control category maps to specific SOC 2 Trust Service Criteria. These are the practices we follow today — not aspirational goals.

Access Control

CC6 — Logical & Physical Access

  • Authentication via Supabase Auth with OAuth and email/password support
  • Role-based access control: 4-level workspace roles (owner, admin, editor, viewer) and 3-level business roles (owner, admin, member)
  • Row Level Security (RLS) policies enforce data isolation at the database layer
  • Session management with httpOnly, secure, SameSite cookies
  • Automatic session refresh and expiration on every request

Network Security

CC6 — System Operations

  • HTTPS enforced via HSTS with preload directive (max-age 2 years)
  • Content Security Policy (CSP) headers configured per route type
  • Rate limiting across 6 tiers — auth: 10/5 min, upload: 5/min, general API: 60/min
  • CORS restrictions: authenticated endpoints locked to application origin
  • Permissions-Policy disables camera, microphone, and geolocation APIs

Data Protection

CC6 — Encryption & Confidentiality

  • Encryption in transit via TLS — enforced by HSTS preload
  • Encryption at rest with AES-256 (managed by Supabase)
  • Passwords hashed with bcrypt (configurable cost factor)
  • PII automatically redacted from application logs (emails, IPs, Stripe IDs)
  • Sensitive data excluded from client-facing error responses
  • No payment card data ever touches Bounder servers — Stripe handles all PCI scope

Availability

A1 — System Availability

  • Deployed on Railway with managed infrastructure and automated deployments
  • Supabase managed PostgreSQL with automated backups
  • Static assets served with 1-year cache headers for performance
  • Graceful degradation — rate limiting auto-disables if Redis is unavailable

Multi-Tenant Isolation

C1 — Confidentiality

  • Workspace-scoped data access enforced at both application and database layers
  • Privilege separation: distinct admin and anonymous Supabase client connections
  • Business and team boundaries enforced via membership verification on every request
  • Flipbook password access scoped by path-restricted cookies with 24-hour TTL

Processing Integrity

PI1 — Accurate Processing

  • Zod schema validation on all API inputs with strict type checking
  • File type and size validation before any PDF processing begins
  • Stripe webhook signature verification with idempotency via event tracking table
  • Structured error handling: generic client responses, detailed server-side logs
  • Independent buffer copies in PDF pipeline prevent data corruption

Monitoring & Audit

CC7 — System Monitoring

  • Structured JSON audit logging to dedicated audit_logs table
  • Application logs with automatic PII redaction, compatible with log drain services
  • Webhook event tracking prevents duplicate processing of billing events
  • Plan-based analytics retention with automated daily cleanup via cron

Privacy Controls

P1–P8 — Privacy Criteria

  • Minimal data collection — IP addresses used for country derivation then discarded
  • Plan-based data retention with automated deletion (7 to 365 days)
  • GDPR and CCPA rights supported with documented exercise procedures
  • Data processor role clearly defined for lead capture and viewer analytics
  • No third-party advertising cookies — only essential and analytics cookies used

Availability

We monitor our infrastructure continuously. Hover over any day to see details.

System Uptime

Last 90 days

99.999% average
Operational
Minor
Degraded
Disruption
Hover for details

Sub-Processors

We are transparent about every third-party service that processes your data. Each sub-processor is evaluated for security posture and compliance certifications.

ProviderPurposeData ProcessedCompliance
SupabaseDatabase, authentication, file storageAccount data, content, analyticsSOC 2 Type II
StripePayment processingBilling and card dataPCI DSS Level 1
RailwayApplication hosting and deploymentRequest/response dataSOC 2 Type II
ResendTransactional email deliveryEmail addresses, namesSOC 2
UpstashRate limiting (Redis)IP addresses (ephemeral)SOC 2
MaxMind GeoLite2IP-to-country geolocationIP → 2-letter country code (in-memory, no external calls)

Google Analytics 4 (GA4) may also be configured per flipbook by the flipbook owner as an optional integration. When enabled, Google's privacy terms apply to that data.

Working Toward SOC 2 Type II

The controls described on this page are in production today. We are formalizing our security program toward SOC 2 Type II certification. This includes continuous monitoring, formal policies, and an independent auditor engagement.

If you need a security questionnaire completed or have specific compliance requirements, we are happy to work with your team.

Contact our team

Responsible Disclosure

If you discover a security vulnerability, we want to hear about it. Please report security issues responsibly by emailing us directly. We commit to acknowledging your report within 48 hours and working toward a resolution promptly.

Please do not publicly disclose vulnerabilities until we have had a chance to address them.

Report a vulnerability

Last updated: March 9, 2026 · Privacy Policy · Terms of Service