How is my data secured?

Short version: passwords are hashed, payments are handled by Stripe, no card data ever touches our servers, sessions expire after 7 days, and we log admin actions for audit. Long version below.

Authentication

• Passwords are hashed with scrypt — a memory-hard key-derivation function recommended by OWASP — using a per-user random salt before storage. We never store plaintext passwords. Staff accounts have used scrypt since v15 (May 2026); subscriber accounts migrated to scrypt in v22.10.3 (May 2026) with transparent re-hash on next login for any legacy SHA-256 records.
• Sessions are HMAC-SHA256 signed and tied to a server-side secret. A forged token cannot impersonate another user even if an attacker can write to your browser’s local storage.
• Session cookies are HttpOnly, Secure, and SameSite=Strict — not readable by JavaScript, not sent on cross-site requests.
• Sessions expire after 7 days. Re-authenticate after that.
• Magic-link tokens in email CTAs are HMAC-signed, single-use, and expire on first consumption.
• Login attempts are rate-limited per IP and email (5 attempts per 15 minutes) to defeat credential-stuffing. Sensitive actions (password change, account deletion) are rate-limited more aggressively (3 attempts per 15 minutes).
• Security notification emails are sent automatically on password change and account deletion. If you receive one and didn’t initiate the action, write to security@atlasrisks.com immediately.

Payments

• All payment processing happens via Stripe (PCI-DSS Level 1 certified).
• Card numbers, CVCs, and expiry dates never reach AtlasRisks servers. We see only the last 4 digits and the brand for display purposes.
• We use Stripe’s hosted checkout and billing portal, which means even our forms don’t handle card data directly.

Data we store

• Email address (for sending the brief and account access)
• Display name (optional)
• Hashed passcode
• Watchlist (the ISO codes you’ve added)
• Subscription status (tier + billing status)
• Stripe customer ID (a reference token, not card data)

Data we don’t collect

No tracking pixels, no third-party advertising cookies, no behavioral profiling, no selling of email addresses. The only third-party services we use are Stripe (payments), Resend (email delivery), and Netlify (hosting). See the privacy policy for the full list.

Reporting a security issue

If you find a vulnerability, please email security@atlasrisks.com with details. We aim to respond within 24 hours and patch within 7 days for confirmed issues.