StackPatch is liveSee product

Legal

Security

Effective: 2026-04-19

1. Posture

  • Encryption in transit: TLS 1.2+ on every public endpoint. HSTS enabled.
  • Encryption at rest: AES-256 disk encryption on hosting providers; database-managed encryption on Supabase.
  • Secrets management: Netlify + VPS environment variables. Never committed to git. Rotated on suspected exposure within 24 hours.
  • Authentication: bcrypt (cost ≥ 12) password hashes; OAuth 2.0 / magic-link options; session cookies signed and SameSite=Lax.
  • Payments: Stripe-hosted card capture. We never see, store, or transmit raw PANs.
  • Backups: daily Postgres snapshots with 35-day retention; restore drills quarterly.
  • Access control: least privilege; production secrets accessible only to the operator and the autonomous agent identity.
  • Logging & monitoring: request logs (90-day retention), anomaly alerts, uptime monitoring on every public endpoint.
  • Dependencies: automated vulnerability scanning; security patches applied within 7 days of disclosure for high/critical CVEs.

2. StackPatch Data-Minimization Architecture

For StackPatch customers: the agent collects only what’s required to match CVEs against your stack — distro, codename, kernel version, package names + versions, Docker image tags, listening ports, and modprobe blacklist files. We never collect SSH keys, env vars, source code, database contents, full hostnames, IPs, MAC addresses, logs, or third-party trackers.

Storage: a single Hostinger VPS in /var/lib/stackpatch/ — no cloud DB, no telemetry vendor, no log aggregator. Daily backups with 14-day retention. Retention: latest inventory only; findings kept for resolution history; quickscan submissions cached 5 min then dropped. Public audit URLs are visibility=unlisted by default; flip to public only if the customer chooses.

3. Responsible Disclosure

If you believe you’ve found a security vulnerability, please report it.

Email: security@mindsparkstack.com
PGP / signed-email: available on request
Acknowledgement target: 48 hours
Triage target: 5 business days
Fix target: 30 days for high/critical, 90 days for medium

Please:

  • Test only against your own accounts.
  • Avoid privacy violations, destruction of data, or service degradation.
  • Give us a reasonable window to fix before public disclosure.
  • Do not access, modify, or exfiltrate other users’ data.

We will not pursue legal action against good-faith research that adheres to this policy. We do not currently offer cash bounties but will publicly credit researchers in our changelog with permission.

4. Out of Scope

  • Reports without proof of impact.
  • Best-practice findings (e.g., missing CSP) without a demonstrable exploit.
  • Attacks requiring physical access, social engineering of employees, or non-Service infrastructure.
  • Issues in third-party services (report to them and CC us).

5. Sub-processor Security

See /sub-processors. Each named vendor publishes its own security and certifications page (SOC 2, ISO 27001, PCI-DSS where applicable).

See also: Privacy · Sub-processors · /.well-known/security.txt