Trust

Security

Last updated April 22, 2026

A-Listed is built on infrastructure we trust with our own data. This page describes the security practices we have in place. We believe in being honest about what we do — and what we don't yet do.

Infrastructure

🔒

Encryption in transit

All traffic between your browser and A-Listed is encrypted using TLS 1.2 or higher. We enforce HTTPS site-wide and use HSTS to prevent downgrade attacks.

🗄️

Encryption at rest

All data stored in our database and file storage is encrypted at rest using AES-256, provided by our database infrastructure partner, Supabase (hosted on AWS).

🌐

CDN and DDoS protection

A-Listed is served through Cloudflare's global network, which provides DDoS mitigation, rate limiting, and edge caching as standard infrastructure features.

🏗️

Isolated storage

Member photos and event images are stored in private storage buckets with row-level access controls. Files are served via time-limited signed URLs — not permanently public links.

Authentication and Access Control

User authentication is handled by Supabase Auth, which issues industry-standard JWT tokens. Passwords are hashed using bcrypt and are never stored in plain text.

All database access is governed by Row-Level Security (RLS) policies enforced at the database layer. These policies ensure that users can only read and write data belonging to their own organization. Even if application-level logic were bypassed, the database would reject unauthorized access.

Moderator and member roles have different data access scopes. Member-facing views use a security-definer function that excludes sensitive fields (such as email addresses) before returning data to the client.

Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. A-Listed never receives or stores your full card number, CVV, or other raw payment credentials. Stripe's security practices are independent of ours and described on their security page.

What We Don't Yet Have

We want to be transparent about the current state of our security posture. A-Listed is an early-stage product operated by a small team. The following are not currently in place:

  • Independent security audits or penetration testing
  • SOC 2 or ISO 27001 certification
  • A formal bug bounty program
  • 24/7 automated security monitoring with defined incident response SLAs
  • Two-factor authentication (2FA) for user accounts

We intend to address these as the product and team grow. If any of these are blockers for your organization, we understand — and we'd encourage you to check back as we mature.

Responsible Disclosure

Found a vulnerability?

If you believe you've found a security issue in A-Listed, please email us at support@alisted.app with a description of the issue and steps to reproduce it. We will acknowledge your report and investigate promptly.

We ask that you give us a reasonable amount of time to investigate and address the issue before disclosing it publicly. We appreciate responsible disclosure and will credit researchers who report valid issues (with their permission).

Please do not access, modify, or delete data belonging to other users during your research. Testing against your own accounts on your own organization is acceptable.

Questions

If you have questions about our security practices, email support@alisted.app or use our contact form.