Dialed Macros – Security Policy

1.Authentication and Access Control

• We use Supabase Auth to manage secure user authentication, session handling, and token management
• OAuth support (Google, Apple) enables secure, password-less login options
• All passwords are salted and hashed using industry-standard algorithms — they are never stored in plain text
• Access to internal systems and production infrastructure is restricted to authorized personnel via role-based access controls (RBAC)
• Administrative access requires multi-factor authentication (MFA) and is reviewed periodically

2.Data Encryption

• In transit: All communication between your browser and our servers is encrypted using HTTPS with TLS 1.2 or higher
• At rest: User data stored within Supabase is encrypted using AES-256 encryption
• Database connections are encrypted and require authentication for all queries
• API keys and secrets are stored in encrypted environment variables, never in source code

3.Secure Payment Processing

• We do not store, process, or have access to full credit card numbers. All billing is handled entirely through Stripe
• Stripe is a PCI-DSS Level 1 certified service provider — the highest level of payment security certification
• Payment information is tokenized and encrypted by Stripe before transmission
• We regularly review our Stripe integration to ensure it follows current security best practices

4.Infrastructure and Hosting

• Our application is hosted on Vercel, which provides automatic HTTPS, DDoS protection, edge caching, and scalable serverless deployments
• Backend data and API services are hosted on Supabase, which offers database-level security, row-level security (RLS) policies, and audit logging
• Both Vercel and Supabase maintain SOC 2 Type II compliance, ensuring rigorous controls over data security, availability, and confidentiality

5.Application Security

• Our application is built with Next.js and follows modern secure development practices
• Input validation and sanitization are applied to help protect against XSS, CSRF, and injection attacks
• Dependencies are monitored and regularly updated to address known vulnerabilities
• We use automated tooling (e.g., Dependabot) to flag and patch security issues in third-party packages
• Code changes are reviewed before deployment to production environments

6.Email Security

• Transactional emails (sign-up confirmations, password resets, plan updates) are delivered through PrivateEmail by Namecheap, which supports TLS encryption for secure delivery
• We never transmit sensitive data such as passwords, tokens, or payment details in email communications

7.Logging and Monitoring

• We maintain logs of authentication events, API access, and administrative actions
• Anomalous activity and failed authentication attempts are monitored to detect potential threats
• Logs are retained for a reasonable period to support incident investigation and compliance requirements
• Access to logs is restricted to authorized personnel on a need-to-know basis

8.Data Backup and Disaster Recovery

• User data is backed up regularly through Supabase's automated backup systems
• Backups are encrypted and stored in geographically separate locations to protect against data loss
• We maintain recovery procedures to restore service availability in the event of an outage or data loss incident

9.Incident Response

In the event of a data breach or security incident, we will:

• Investigate and contain the issue promptly to minimize impact
• Notify affected users within 72 hours of confirming a breach, as required by applicable law
• Report the incident to relevant regulatory authorities where legally required
• Document findings, root causes, and remediation steps to strengthen our defenses
• Conduct a post-incident review and implement improvements to prevent recurrence

10.Employee and Organizational Security

• All team members with access to production systems or user data follow security best practices
• Access privileges are granted on a least-privilege basis and reviewed regularly
• Credentials and access are revoked promptly when team members change roles or depart

11.Vulnerability Disclosure

We value the work of security researchers and welcome responsible disclosure of potential vulnerabilities. If you discover a security issue, please report it to us at support@dialedmacros.com with the following details:

• A description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Any supporting evidence (screenshots, logs, proof of concept)

We ask that you give us a reasonable amount of time to investigate and address the issue before disclosing it publicly. We will not take legal action against researchers who report vulnerabilities in good faith.

12.User Responsibilities

• You are responsible for keeping your login credentials secure and not sharing them with others
• Use a strong, unique password for your Dialed Macros account
• Log out of shared or public devices after each session
• Report any suspicious activity or unauthorized access to support@dialedmacros.com immediately

13.Changes to This Policy

We may update this Security Policy from time to time to reflect improvements to our security practices or changes in regulatory requirements. Any updates will be reflected on this page with a revised effective date. We encourage you to review this policy periodically.

14.Contact Us

For questions, security concerns, or vulnerability reports, please contact us at: