Security & Compliance

At Stickero, we take security seriously. This page outlines our security measures, compliance standards, and commitment to protecting your data.

1. Data Encryption

1.1 Data in Transit

All data transmitted between your browser and our servers is encrypted using industry-standard TLS 1.3 protocol. This ensures that your data cannot be intercepted or read by third parties during transmission.

• HTTPS Everywhere: All pages and API endpoints are served exclusively over HTTPS
• TLS 1.3: We use the latest TLS protocol for maximum security
• Strong Ciphers: Only modern, secure cipher suites are enabled

1.2 Data at Rest

Your data is encrypted when stored on our servers using AES-256 encryption. This includes:

• Board content and sticker data
• User profiles and settings
• File uploads and attachments
• Database backups

2. Authentication & Access Control

2.1 Password Security

User passwords are protected using industry best practices:

• Bcrypt Hashing: All passwords are hashed using bcrypt with salt
• Minimum Requirements: Passwords must be at least 6 characters
• Never Stored in Plain Text: We never store or transmit passwords in plain text
• Secure Password Reset: Password reset links are time-limited and single-use

2.2 Session Management

• JWT Tokens: Secure JSON Web Tokens for session management
• Token Expiration: Sessions automatically expire after period of inactivity
• Secure Storage: Tokens are stored securely in browser localStorage

2.3 Access Control

• Role-Based Access: Granular permissions based on user roles (Admin, Member, Guest)
• Board Privacy: Only invited members can access private boards
• Share Codes: Unique, secure codes for board invitations

3. Infrastructure Security

3.1 Hosting & Network

• Secure Data Centers: Hosted on enterprise-grade infrastructure
• DDoS Protection: Protection against distributed denial of service attacks
• Firewall Protection: Network-level firewalls to prevent unauthorized access
• Regular Updates: Operating systems and software are kept up to date with security patches

3.2 Database Security

• PostgreSQL: Industry-standard, secure database system
• Parameterized Queries: Protection against SQL injection attacks
• Database Encryption: Encrypted connections and data at rest
• Regular Backups: Automated daily backups with encryption

4. Compliance & Privacy

4.1 GDPR Compliance

We are committed to compliance with the General Data Protection Regulation (GDPR):

• Data Minimization: We only collect data necessary for service operation
• Right to Access: Users can request and download their data
• Right to Deletion: Users can delete their accounts and all associated data
• Data Portability: Export your data in standard formats
• Consent Management: Clear consent mechanisms for data processing

4.2 Data Residency

• Location: Data is stored in secure data centers in compliance with regional regulations
• No Unauthorized Transfers: Your data is not transferred to third parties without consent

5. Application Security

5.1 Secure Development Practices

• Code Reviews: All code changes are reviewed for security issues
• Input Validation: All user inputs are validated and sanitized
• XSS Prevention: Protection against cross-site scripting attacks
• CSRF Protection: Cross-site request forgery protection on all forms
• Dependency Scanning: Regular scanning of third-party dependencies for vulnerabilities

5.2 API Security

• Authentication Required: All API endpoints require valid authentication
• Rate Limiting: Protection against abuse and brute force attacks
• Input Validation: Strict validation of all API inputs

6. Monitoring & Logging

6.1 Security Monitoring

• Access Logs: All access attempts are logged and monitored
• Anomaly Detection: Automated detection of suspicious activities
• Failed Login Tracking: Monitoring and blocking of repeated failed login attempts
• IP Whitelisting/Blacklisting: Admin controls for IP-based access management

6.2 Audit Trails

• Activity Logs: Comprehensive logging of user activities
• Change Tracking: All data modifications are tracked and timestamped
• Admin Actions: All administrative actions are logged

7. Business Continuity

7.1 Backup & Recovery

• Automated Backups: Daily automated backups of all data
• Encrypted Backups: All backups are encrypted
• Multiple Locations: Backups stored in geographically distributed locations
• Tested Recovery: Regular testing of backup restoration procedures
• Retention Policy: Backups retained for 30 days

7.2 Uptime & Availability

• 99.9% Uptime Target: We strive for high availability
• Redundancy: Redundant systems to prevent single points of failure
• Load Balancing: Distributed load for optimal performance

8. Incident Response

8.1 Security Incident Handling

In the event of a security incident, we follow a structured response process:

1. Detection: Immediate identification and assessment of the incident
2. Containment: Quick action to limit the scope and impact
3. Investigation: Thorough analysis to determine cause and extent
4. Remediation: Implementing fixes and security improvements
5. Notification: Timely notification to affected users as required by law
6. Post-Incident Review: Learning and improving from incidents

8.2 Data Breach Notification

In accordance with GDPR and other regulations, we commit to:

• Notify affected users within 72 hours of discovering a data breach
• Provide clear information about the nature and impact of the breach
• Outline steps taken to address the breach and prevent future incidents

9. Third-Party Services

9.1 Carefully Vetted Partners

We only work with trusted third-party services that meet our security standards:

• Payment Processing: PayPal (PCI DSS compliant)
• AI Services: Anthropic Claude API (secure, enterprise-grade)
• Email Service: Gmail SMTP with secure authentication

9.2 Data Sharing

• We do not sell or share your personal data with third parties for marketing purposes
• Third-party services only receive data necessary for their specific function
• All third-party providers are bound by strict confidentiality agreements

10. User Responsibilities

10.1 Account Security

While we implement strong security measures, users also play a crucial role:

• Strong Passwords: Use unique, complex passwords
• Keep Credentials Secure: Never share your password
• Logout from Shared Devices: Always logout when using shared computers
• Report Suspicious Activity: Notify us immediately of any unauthorized access

10.2 Best Practices

• Keep your browser and operating system up to date
• Use secure, private networks when accessing sensitive data
• Be cautious of phishing attempts
• Review board member access regularly

11. Desktop Application Security

11.1 Tauri Framework

Our desktop application is built with Tauri, a secure framework that:

• Rust Backend: Memory-safe language preventing common vulnerabilities
• Minimal Attack Surface: Lightweight, secure architecture
• Sandboxed Environment: Isolated execution environment
• Signed Builds: Code-signed applications for verified authenticity

11.2 Desktop App Features

• Same HTTPS encryption as web version
• Secure local session storage
• Automatic security updates
• Native OS security integration

12. Security Updates & Maintenance

12.1 Regular Updates

• Security Patches: Applied within 48 hours of critical vulnerabilities being discovered
• Dependency Updates: Regular updates of all third-party libraries
• Framework Updates: Keeping Flask, PostgreSQL, and other core technologies current

12.2 Maintenance Windows

• Scheduled maintenance is performed during low-traffic periods
• Users are notified in advance of planned downtime
• Emergency security updates may be applied without notice

13. Reporting Security Issues

13.1 Responsible Disclosure

If you discover a security vulnerability, please help us protect our users:

• Email: security@stickero.app
• Response Time: We aim to respond within 24 hours
• Confidentiality: Please do not publicly disclose the issue until we've had time to address it

13.2 What to Include

When reporting a security issue, please provide:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Any suggested fixes (optional)

14. Certifications & Standards

14.1 Compliance Standards

• GDPR: Full compliance with European data protection regulations
• OWASP Top 10: Protection against the most critical web application security risks
• Security Best Practices: Following industry-standard security guidelines

14.2 Future Certifications

We are working towards obtaining additional certifications:

• SOC 2 Type II compliance (planned)
• ISO 27001 certification (planned)

15. Data Retention & Deletion

15.1 Data Retention

• Active Accounts: Data retained as long as account is active
• Inactive Accounts: Accounts inactive for 2+ years may be archived
• Backups: Backup data retained for 30 days

15.2 Data Deletion

• Account Deletion: Users can delete their account at any time from settings
• Complete Removal: All personal data is permanently deleted within 30 days
• Board Cleanup: Guest users are removed from boards when account is deleted
• Backup Purge: Deleted data is removed from backups after retention period

16. Contact & Support

16.1 Security Team

For security-related inquiries and issues:

• Email: security@stickero.app
• General Support: support@stickero.app
• Contact Form: Contact Page

16.2 Updates to This Page

This Security & Compliance page is reviewed and updated regularly to reflect our current practices and any new security measures we implement. Last updated: November 2025