getdvantagegetAdvantage← Home

Security

Last updated 2026-06-17

This page describes the technical and organisational measures getAdvantage actually uses to protect your data. We list what we do, not what we aspire to. Where we don’t yet hold a formal certification, we say so plainly — see What we don’t claim below.

Data in transit

All traffic to and from getadvantage.app is served exclusively over HTTPS (TLS). We send an HTTP Strict-Transport-Security (HSTS) header so browsers refuse to connect over plain HTTP after the first visit. Connections between our application and its database and sub-processors are likewise encrypted in transit.

Data at rest

Account, scan and billing-mirror records live in a managed PostgreSQL database operated by Neon, pinned to an EU region (Frankfurt). Card data never touches our servers — all payment details are held by Stripe, our PCI-compliant payment processor. We store only a Stripe customer reference and the resulting subscription status.

Authentication

  • Passwords are hashed with bcrypt at cost factor 12. We never store, log or transmit a plaintext password.
  • A successful login issues a signed session token (a JOSE HS256 JWT) carrying only your account id and email. It is delivered in an httpOnly, Secure cookie (SameSite=Lax, 30-day lifetime) so it is inaccessible to JavaScript and is not sent on cross-site requests.
  • Every request to the product is re-verified against the signing secret before any account data is loaded; a forged or expired token is rejected.

Tenant isolation

getAdvantage is multi-tenant. Every database query that reads or writes customer data is scoped to a single account_id, so one account can never read, modify or even detect another account’s sites, scans or recommendations. The only intentionally unscoped lookup is by a site’s embed key — an unguessable 32-character secret that is itself the credential.

Application hardening

  • A global Content-Security-Policy, HSTS and a set of standard security headers (frame, content-type and referrer protections) are applied to every response.
  • The scanner that fetches the pages you submit is SSRF-guarded: it allows only http/https, re-resolves DNS and re-validates the resolved IP, and blocks localhost and private, link-local and reserved address ranges so it can’t be pointed at internal infrastructure.
  • Sensitive and abuse-prone endpoints are rate-limited per client IP. The IP is processed transiently in memory for this purpose and is never written to the database.
  • Billing webhooks are accepted only after their cryptographic signature is verified against the raw request body — the single, tamper-checked source of truth for what plan an account is entitled to.

Secrets management

All credentials — database URLs, signing secrets, the OpenAI key and Stripe keys — are supplied to the application only as environment variables managed by our host. No secret is ever committed to the source repository, printed in logs, or exposed in the browser bundle (the sole exception is Stripe’s publishable key, which is designed to be public).

Hosting

The application is hosted on Vercel with its compute pinned to an EU region (Frankfurt, fra1), and the database on Neon in the EU (Frankfurt). Some sub-processors (e.g. Stripe, OpenAI, Resend) operate in the United States; those transfers rely on EU Standard Contractual Clauses and, where certified, the EU-US Data Privacy Framework. The full list is in our Privacy Policy.

Data deletion

You can ask us to delete your account and associated data at any time, and we will do so within a reasonable period — except records we are legally required to keep (e.g. billing and invoice records retained under German tax and commercial law, §147 AO / §257 HGB). To request deletion, contact us at the address in our Impressum.

What we don’t claim

getAdvantage is an independent, founder-run product. We do notcurrently hold a SOC 2 report, ISO 27001 certification, or any other formal third-party audit, and we will not imply that we do. Instead we publish, on this page, the specific measures that are genuinely in place — and we’ll update it as the security programme matures rather than backdating claims. A getAdvantage score is a measurement of a page at scan time, not a guarantee, and the same honesty applies to how we describe our own security.

Reporting a vulnerability

If you believe you’ve found a security issue, please email us via the contact address in our Impressumwith the words “security” in the subject. We welcome good-faith reports and will work with you on a responsible disclosure timeline.

Breach handling

In the event of a personal-data breach that is likely to result in a risk to your rights, we will notify the competent supervisory authority and affected users without undue delay, in line with our obligations under Articles 33 and 34 GDPR.