Security

Frontend hosted on Vercel with global edge network. Data stored in Supabase (EU region) with Row Level Security on all tables. All connections encrypted via TLS 1.3. HSTS with preloading enabled.

Diagnostic data encrypted at rest. No IP addresses or full user agents stored. Session identifiers are anonymous. Analytics is first-party, GDPR-compliant, activated only with explicit consent, and never sold or shared.

Authentication handled by Supabase Auth. Passwords are hashed using bcrypt. We never store or have access to plaintext passwords. Content Security Policy enforced to prevent XSS attacks.

All payments processed by Stripe Payments Europe Ltd (PCI DSS Level 1). Sprinkling Act never sees, stores, or processes card numbers or payment credentials.

Production database access is restricted to the data controller. No employee or contractor has broad access to user data. All access is logged.

Report vulnerabilities to security@sprinklingact.com. We acknowledge within 48 hours and resolve critical issues within 7 days.