LinksWatch is built by Numlock Studio, a New Zealand business. We take security seriously and have designed our infrastructure to protect your data at every layer.
Infrastructure
- Hosting:Our application is hosted on Vercel's edge network with automatic TLS certificates and DDoS protection.
- Database: All data is stored in Supabase (AWS us-east-1) with encryption at rest and automated backups.
- Payments: Payment processing is handled entirely by Stripe. We never see, store, or process your payment card details.
- Email: Transactional emails are delivered via Resend over authenticated SMTP with DKIM signing.
Data protection
- Encryption in transit: All connections use TLS 1.2 or higher. HTTP requests are automatically redirected to HTTPS.
- Encryption at rest: Database storage is encrypted using AES-256 via AWS infrastructure.
- Row-level security: Every database table enforces row-level security policies, ensuring users can only access their own data. These policies are audited regularly.
- Password storage: Account passwords are hashed using bcrypt via Supabase Auth. Optional link passwords use HMAC-SHA256 with a unique random salt per link.
- API keys: API keys are stored as SHA-256 hashes. The plaintext key is shown once at creation and never stored.
Access controls
- Authentication: Powered by Supabase Auth with secure session management, rate-limited login attempts, and support for email/password authentication.
- Role-based access: Users, team admins, org admins, and super admins have distinct permission levels enforced at the database layer.
- Admin audit trail: All administrative impersonation actions are logged to a tamper-evident audit table.
Application security
- Rate limiting: All API endpoints are rate-limited to prevent abuse, including login, link creation, QR generation, and data exports.
- Input validation: All user inputs are validated and sanitised server-side. URLs are checked against SSRF vectors before being accepted.
- Dependency scanning: We regularly audit dependencies for known vulnerabilities.
Responsible disclosure
If you discover a security vulnerability in LinksWatch, please report it responsibly. Contact us via our contact formwith the subject "Security Report". We ask that you:
- Provide sufficient detail for us to reproduce the issue.
- Allow reasonable time for us to investigate and address it before public disclosure.
- Do not access, modify, or delete other users' data.
We take all reports seriously and aim to acknowledge them within 48 hours. We will not take legal action against researchers who follow these guidelines.
Incident response
In the event of a data breach or security incident, we will:
- Investigate and contain the issue as a priority.
- Notify affected users as soon as practicable — typically within 72 hours of confirming a notifiable breach.
- Notify the Office of the New Zealand Privacy Commissioner where the Privacy Act 2020 requires it.
- Publish a post-incident summary describing the nature, impact, and remediation steps.
Questions
For security-related questions, contact us via our contact form.
Numlock Studio, New Zealand.