Security

Your buy price never leaves its lane.

Slabbist was built around a single idea: the buy number belongs to the owner, not the associate. Everything else follows from that.

Encrypted in transit and at rest
TLS 1.3 for every connection. AES-256 for data at rest in Postgres and object storage. Backups are encrypted with separate keys.
Role enforcement in the database
Row-level security in Postgres means an associate can never read a column their role does not own. The API never returns what the database refuses to serve.
Least-privilege access
Engineering access to production is gated through SSO + hardware MFA, time-boxed, and logged. There is no shared admin account.
Tested backups
Point-in-time recovery up to 7 days. Monthly restore drills, tracked in a public-to-customers runbook.
Audit logging
Every margin rule change, export, and role change is logged with actor, time, and IP. Logs are retained for 12 months minimum.
Responsible disclosure
Reports to security@slabbist.com are acknowledged within one business day. Good-faith researchers are welcome — see the policy below.

Reporting a vulnerability

Email security@slabbist.com with a reproduction and the affected surface. If you need PGP, request our key in the first message and we will send it before you share details.

We acknowledge within one business day and aim to triage within three. We do not currently run a paid bounty, but we will credit researchers who ask for public acknowledgement once a fix ships.

Safe-harbor

Good-faith research on the Slabbist production services is not a violation of our Terms. "Good-faith" means no data exfiltration beyond a minimum proof of concept, no denial of service, no social engineering of our staff, and no accessing other users' data beyond your own accounts.

Subprocessors and infrastructure

A current list is available on request. Key providers at the time of writing: Supabase (Postgres + auth, US region), Cloudflare (edge network), Resend (transactional email), Sentry (crash telemetry with PII redaction), Stripe and Persona (marketplace, future).

Compliance roadmap

We are working toward SOC 2 Type I in 2026, followed by Type II once we have twelve months of production operations. GDPR and CCPA compliance is in place today. Customers with specific requirements can ask for a current security questionnaire response.