Security

Security is the product.

We sell tools that help you find leaked data — so we obsess about not leaking yours. Here’s exactly how we protect your account, your queries and your wallet.

Encryption everywhere

All traffic is TLS 1.2+. Database is encrypted at rest with AES-256. Backup snapshots are encrypted. Sensitive secrets are stored in environment-scoped vaults, never in source.

Hardened infrastructure

Hosted on Vercel and Supabase, both SOC 2 Type II certified. EU-region database. Automatic daily backups with 7-day point-in-time recovery.

Least-privilege access

Row-level security on every user-scoped table. Server-side API key never exposed to the browser. Internal access requires SSO + hardware MFA.

Defense in depth

HSTS, X-Frame-Options, strict Content-Security-Policy, signed cookies, CSRF-resistant routes, and signature verification on every payment webhook.

Auditable trail

Every credit consumption, payment event and admin action is logged with an immutable audit trail. Customers can export their full activity log on request.

Incident response

24-hour acknowledgement on critical reports. 72-hour breach notification to affected customers per GDPR Art. 33. Public post-mortems within 7 days.

Compliance

Certifications & frameworks.

GDPR
Full data-subject rights workflow, signed DPA on request, EU data residency by default.
SOC 2 (subprocessors)
Supabase and Vercel are both SOC 2 Type II certified. We pass through their controls and layer our own on top.
PCI-DSS
Card data never touches our servers — Mollie is a PCI-DSS Level 1 service provider.
ISO 27001 (in progress)
Targeting certification within 12 months of public launch.

Disclosure

Responsible disclosure.

We welcome reports from independent security researchers. If you believe you’ve found a vulnerability, please follow the guidelines below.

Email us

security@squarebreach.com (PGP key on request).

Scope

squarebreach.com and *.squarebreach.com. Out of scope: third-party services (Supabase, Mollie, NOWPayments) — please report to them directly.

Rules of engagement

· Test only against accounts you control. Do not access other customers’ data.
· No DDoS, social engineering, physical attacks.
· Give us 90 days to remediate before public disclosure.

Resources

Security is the product.

We sell tools that help you find leaked data — so we obsess about not leaking yours. Here’s exactly how we protect your account, your queries and your wallet.

Encryption everywhere

All traffic is TLS 1.2+. Database is encrypted at rest with AES-256. Backup snapshots are encrypted. Sensitive secrets are stored in environment-scoped vaults, never in source.

Hardened infrastructure

Hosted on Vercel and Supabase, both SOC 2 Type II certified. EU-region database. Automatic daily backups with 7-day point-in-time recovery.

Least-privilege access

Row-level security on every user-scoped table. Server-side API key never exposed to the browser. Internal access requires SSO + hardware MFA.

Defense in depth

HSTS, X-Frame-Options, strict Content-Security-Policy, signed cookies, CSRF-resistant routes, and signature verification on every payment webhook.

Auditable trail

Every credit consumption, payment event and admin action is logged with an immutable audit trail. Customers can export their full activity log on request.

Incident response

24-hour acknowledgement on critical reports. 72-hour breach notification to affected customers per GDPR Art. 33. Public post-mortems within 7 days.

Compliance

Certifications & frameworks.

GDPR
Full data-subject rights workflow, signed DPA on request, EU data residency by default.
SOC 2 (subprocessors)
Supabase and Vercel are both SOC 2 Type II certified. We pass through their controls and layer our own on top.
PCI-DSS
Card data never touches our servers — Mollie is a PCI-DSS Level 1 service provider.
ISO 27001 (in progress)
Targeting certification within 12 months of public launch.

Disclosure

Responsible disclosure.

We welcome reports from independent security researchers. If you believe you’ve found a vulnerability, please follow the guidelines below.

Email us

security@squarebreach.com (PGP key on request).

Scope

squarebreach.com and *.squarebreach.com. Out of scope: third-party services (Supabase, Mollie, NOWPayments) — please report to them directly.

Rules of engagement

· Test only against accounts you control. Do not access other customers’ data.
· No DDoS, social engineering, physical attacks.
· Give us 90 days to remediate before public disclosure.

Resources

Security is the product.

Encryption everywhere

Hardened infrastructure

Least-privilege access

Defense in depth

Auditable trail

Incident response

Certifications & frameworks.

Responsible disclosure.

More to read.

Security is the product.

Encryption everywhere

Hardened infrastructure

Least-privilege access

Defense in depth

Auditable trail

Incident response

Certifications & frameworks.

Responsible disclosure.

More to read.