Back to home

Security

Last updated: March 2026

Our Commitment

Security is fundamental to Dacard.ai. We protect customer data through encryption at rest and in transit, role-based access controls, and regular security reviews. This page describes our security practices and how to report vulnerabilities responsibly.

Security Controls

Control	Implementation	Status
Authentication	Clerk (SOC 2 Type II). Supports SSO (SAML/OIDC), MFA, passkeys. Session tokens are HttpOnly, Secure, SameSite=Lax.	Live
Encryption in transit	TLS 1.2+ enforced via Vercel Edge. HSTS with 1-year max-age. All API traffic over HTTPS.	Live
Encryption at rest	Integration credentials encrypted with AES-256-GCM. Database encrypted at rest by Turso (libSQL).	Live
Authorization	6-role RBAC (member, lead, executive, admin, super_admin, dacard_admin). All API routes enforce permissions server-side.	Live
Rate limiting	Per-user rate limits on all high-cost API actions (scoring, chat). Returns 429 with Retry-After header.	Live
SSRF protection	DNS pre-resolution + RFC 1918/loopback/link-local/AWS metadata blocklist on crawler. Prevents server-side request forgery.	Live
Security headers	X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy, Permissions-Policy, HSTS on all responses.	Live
Audit logging	Security-relevant events (impersonation, account deletion, role changes) logged with user, timestamp, and IP.	Live
Webhook signing	HMAC-SHA256 signatures on all outbound webhook payloads. Timestamp included to prevent replay attacks.	Live
Dependency scanning	GitHub Dependabot alerts on all npm dependencies. Critical CVEs addressed within 48 hours.	Live
Error monitoring	Sentry error tracking in production. Exceptions alerted within 5 minutes.	Live

Infrastructure

Dacard.ai is hosted on Vercel (SOC 2 Type II, ISO 27001). Data is stored in Turso (libSQL), a distributed SQLite platform with encryption at rest. Authentication is managed by Clerk (SOC 2 Type II). All sub-processors are listed in our Data Processing Agreement.

Vulnerability Disclosure Policy

We welcome responsible security research. If you discover a vulnerability in Dacard.ai, we ask that you:

• Email security@dacard.ai with a clear description of the vulnerability
• Include steps to reproduce, impact assessment, and any relevant screenshots or proof-of-concept
• Give us reasonable time to investigate and patch before public disclosure (90 days standard, shorter for critical issues)
• Do not access, modify, or delete customer data during research
• Do not perform denial-of-service attacks, social engineering, or physical attacks

Response Timeline

Severity	Initial response	Resolution target
Critical (CVSS 9.0+)	24 hours	48 hours
High (CVSS 7.0–8.9)	48 hours	7 days
Medium (CVSS 4.0–6.9)	5 business days	30 days
Low (CVSS <4.0)	10 business days	90 days

Scope

In-scope targets include app.dacard.ai and www.dacard.ai. Out-of-scope: third-party services (Clerk, Vercel, Turso, Stripe), denial-of-service vulnerabilities, and issues requiring physical access.

Contact

For security disclosures: security@dacard.ai

For privacy requests: privacy@dacard.ai

For general inquiries: hello@dacard.ai