Last updated: February 13, 2026

1. Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor — the highest level of certification in the payment industry.

PCI DSS Level 1 Stripe Connect SOC 2 Compliant

2. Data Encryption

In transit

All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security). This applies to every API call, login request, design upload, and page load.

At rest

Our database is hosted on encrypted infrastructure. Passwords are hashed using bcrypt with a strong work factor — we cannot read your password, and neither can anyone else.

Design files

Your designs are stored on secure cloud infrastructure with access controls that restrict who and what systems can access them.

3. Authentication and Sessions

• Password hashing: All passwords are hashed with bcrypt before storage. Plain-text passwords are never stored or logged.
• Session management: Server-side sessions with 30-day expiration. Session tokens are stored in HTTP-only cookies that cannot be accessed by client-side scripts.
• Secure cookies: In production, cookies are transmitted only over HTTPS and are marked as secure and HTTP-only.

4. Infrastructure

• Hosting: The Platform runs on managed cloud infrastructure with automatic security updates, monitoring, and redundancy.
• Database: PostgreSQL database with encrypted connections, automated backups, and point-in-time recovery capability.
• Environment isolation: Secrets, API keys, and credentials are stored in encrypted environment variables, separate from application code. They are never committed to source control.

5. AI and Design Data

• Design prompts: Your creative prompts and vision descriptions are sent to AI services for design generation. No personal information is included in these requests.
• Generated designs: AI-generated images are stored securely and associated only with your creator account.
• Support images: Photos uploaded during support conversations are hosted with temporary URLs that expire within 24 hours.

6. Third-Party Security

We carefully select partners who maintain high security standards:

• Stripe: PCI DSS Level 1, SOC 2 compliant, with dedicated security team and regular audits.
• Fulfillment partner: Secure API connections with authenticated requests. Buyer data shared only as required for order processing.
• AI providers: Enterprise-grade AI services with data processing agreements. Your prompts are not used to train models.
• Email service: Authenticated sending with SPF, DKIM, and DMARC to prevent spoofing.

7. Access Controls

• Internal access to production systems is restricted to authorized personnel only.
• Database queries are parameterized to prevent SQL injection attacks.
• API endpoints validate authentication and authorization on every request.
• File uploads are validated for type, size, and content before processing.

8. Incident Response

In the unlikely event of a security breach that affects your data, we will:

• Investigate and contain the incident immediately.
• Notify affected users within 72 hours, as required by applicable law.
• Report to relevant authorities where legally required.
• Provide clear information about what data was affected and what steps you should take.

9. What You Can Do

• Choose a strong, unique password for your account.
• Do not share your account credentials with others.
• Sign out when using shared devices.
• Keep your browser up to date.
• Report suspicious activity to support@merchmadness.app.

10. Reporting a Vulnerability

If you discover a security vulnerability, please report it responsibly to support@merchmadness.app. We appreciate the security community's efforts and will acknowledge valid reports promptly.