How we protect your data
All connections use TLS 1.3. HTTPS is enforced for every request. HSTS is enabled with a 2-year max-age to prevent downgrade attacks.
All data stored in Cloudflare D1 is encrypted at rest by the infrastructure provider. Database access is restricted to authorized Workers only.
Payments are processed by Stripe, a PCI-DSS Level 1 certified provider. We never see, store, or transmit your full credit card number or CVC.
We use JWTs with expiration for session management. Passwords are hashed. Rate limiting prevents brute-force attacks on authentication endpoints.
Stripe webhooks are verified using HMAC-SHA256 signatures with constant-time comparison to prevent timing attacks and replay attacks.
Hosted on Cloudflare's global network with DDoS protection, WAF, and edge-level rate limiting. Cloudflare Workers run in isolated V8 isolates.
Strict CSP headers restrict script execution to trusted origins. X-Frame-Options and X-Content-Type-Options headers prevent clickjacking and MIME sniffing.
All user input is validated and sanitized server-side. Email content is HTML-escaped before delivery. Check-in responses use idempotent operations to prevent replay attacks.
User data is stored in Cloudflare D1, a globally distributed relational database. Data is replicated across Cloudflare's network for availability. Database access is restricted to authenticated Worker requests originating from our service only.
In the event of a data breach affecting personal data, we will notify affected users and relevant supervisory authorities within 72 hours of discovery, as required by GDPR. We maintain an incident response plan to contain, investigate, and remediate security incidents.
If you discover a security vulnerability in Still Here, please report it to us at [email protected]. We ask that you:
We take all security reports seriously and will acknowledge receipt within 48 hours.
Still Here is designed to comply with GDPR (EU), UK GDPR, and CCPA (California). For details on data handling, see our Privacy Policy.