Security Policy
Your security is our top priority. This policy explains how My Community Harvest protects your data, transactions, and account.
Quick Navigation
1. Data Encryption
We use industry-standard encryption to protect your data both in transit and at rest.
In Transit
- • TLS 1.2+ encryption on all connections
- • HTTPS enforced across all endpoints
- • Secure WebSocket connections for real-time features
- • API calls encrypted end-to-end
At Rest
- • Database encryption for sensitive data
- • Encrypted backups
- • Secure credential storage
- • No plain-text storage of passwords or tokens
2. Authentication & Access Control
We use enterprise-grade authentication to protect your account from unauthorized access.
- Third-Party Authentication: Login is managed by Kinde Auth, a SOC 2 compliant identity provider. We never store your password directly.
- Token-Based Sessions: Authenticated sessions use cryptographically signed JWT tokens with automatic expiry.
- Role-Based Access: Users can only access data and features appropriate to their role within groups and pots.
- Social Login Options: Sign in with Google or email—no password to remember or risk being compromised.
3. Payment Security
All financial transactions are processed through Stripe, a globally trusted payment processor certified to the highest industry standards.
PCI DSS Level 1 Compliant: Stripe is certified as a PCI Level 1 Service Provider, the most stringent level of certification available in the payments industry. My Community Harvest never sees or stores your full card number.
- Tokenized Payments: Card details are tokenized by Stripe—we only receive a secure reference token.
- Identity Verification: Stripe performs identity verification (KYC) for users receiving payouts, adding an extra layer of fraud prevention.
- Fee Transparency: All transaction fees are disclosed before you confirm any contribution or payout.
- Fraud Detection: Stripe's machine learning systems actively monitor for suspicious transactions and potential fraud.
4. Infrastructure Security
Our infrastructure is designed with security at every layer to protect against common threats and attacks.
Threat Protection
- • Rate limiting to prevent abuse
- • SQL injection protection
- • Cross-Site Scripting (XSS) prevention
- • Content Security Policy (CSP) headers
- • Automated bot detection and blocking
Monitoring & Operations
- • Continuous system health monitoring
- • Automated security scanning
- • Request size limits and validation
- • CORS policy enforcement
- • Regular security updates and patching
5. Incident Response
In the unlikely event of a security incident, we follow a structured response process to minimize impact and protect our users.
- Rapid Detection: Continuous monitoring and alerting systems help us identify potential incidents quickly.
- Immediate Containment: Our team follows established procedures to contain and mitigate any threat.
- User Notification: If a breach affects your personal data, we will notify you within 72 hours as required by GDPR and applicable law, along with details of what occurred and steps you should take.
- Post-Incident Review: Every incident is followed by a thorough review to strengthen our defenses and prevent recurrence.
6. Your Security Responsibilities
Security is a shared responsibility. Here's how you can help protect your account:
- Keep your email secure: Since we use third-party authentication, the security of your login depends on the security of your email account. Use a strong password and enable two-factor authentication on your email.
- Don't share access: Never share your account credentials or authentication links with others.
- Use trusted devices: Only log in from devices you trust. Always log out when using shared or public computers.
- Report suspicious activity: If you notice unauthorized access or suspicious transactions, contact us immediately at [email protected].
- Keep information current: Ensure your contact details are up to date so we can reach you in case of a security concern.
7. Vulnerability Reporting
We appreciate the security research community and encourage responsible disclosure of any vulnerabilities you may discover.
Responsible Disclosure: If you discover a security vulnerability, please report it to [email protected]. Please do not publicly disclose the vulnerability until we have had a chance to address it. We aim to acknowledge reports within 48 hours and provide a resolution timeline within 5 business days.
8. Security Updates
We continuously improve our security practices. This policy may be updated as we adopt new technologies and respond to evolving threats. Material changes will be communicated via email or in-app notification.
Security Questions or Concerns?
If you have any questions about our security practices or need to report a security issue, please contact us immediately.
See also: Terms of Service | Privacy Policy | Cookie Policy | Refund Policy