Security at CollectIQ
We build infrastructure that handles your inventory, buyer data, and transactions. Security isn't a feature — it's a foundational requirement. Here's how we protect your data.
Security Controls
Encryption at Rest & in Transit
All data is encrypted at rest using AES-256. All connections use TLS 1.3. API keys are hashed with SHA-256 before storage — we never store plaintext secrets.
Row-Level Security (RLS)
Every database query is scoped by workspace. Supabase RLS policies enforce strict tenant isolation — no workspace can ever read another's data, even through internal queries.
HMAC-Signed Webhooks
All outbound webhooks are signed with HMAC-SHA256 using your workspace's secret. Every payload is verifiable to prevent replay attacks and tampering.
Rate Limiting & Abuse Protection
Redis-backed rate limiting protects all API endpoints. Tiered quotas per plan. IP-based fallback for unauthenticated endpoints. DDoS mitigation via Vercel's edge network.
Full Audit Trail
Every API call, match run, notification delivery, and trade state transition is logged with timestamps, actor IDs, and request correlation. Logs are immutable and retained for 90 days.
Edge-Deployed Infrastructure
Deployed on Vercel's edge network (200+ PoPs worldwide). Automatic failover and zero-downtime deploys. See our live status page for current uptime.
HTTP Security Headers
| Header | Value |
|---|---|
| Strict-Transport-Security | max-age=63072000; includeSubDomains; preload |
| X-Frame-Options | DENY |
| X-Content-Type-Options | nosniff |
| Referrer-Policy | strict-origin-when-cross-origin |
| Permissions-Policy | camera=(), microphone=(), geolocation=() |
| X-Request-Id | Unique per request — enables correlation and debugging |
Compliance Roadmap
| Framework | Status | Target |
|---|---|---|
| SOC 2 Type I | In Progress | Q3 2026 |
| SOC 2 Type II | Planned | Q1 2027 |
| GDPR | Compliant | — |
| CCPA | Compliant | — |
| PCI DSS | Delegated | Stripe handles all payment data |
Infrastructure & Vendors
Edge deployment, DDoS protection, zero-downtime deploys
PostgreSQL with RLS, managed auth, encrypted backups
PCI-DSS Level 1 certified. We never touch card data.
Serverless Redis for edge-based rate limiting
DKIM-signed, SPF/DMARC-compliant email delivery
Real-time error tracking (client, server, edge)
Responsible Disclosure
Found a vulnerability? We appreciate responsible disclosure. Please report security issues to security@collectiqhq.com. We respond within 24 hours and will work with you to remediate confirmed issues.
Do not disclose vulnerabilities publicly until we've had a chance to investigate and deploy a fix. We will credit researchers who follow responsible disclosure.
🚨Incident Response
CollectIQ maintains a documented incident response process. In the event of a security incident:
- •Detection: Automated monitoring via Sentry, Supabase alerts, and Vercel deployment checks catches anomalies within minutes.
- •Triage: Incidents are classified by severity (P0–P3). P0/P1 incidents trigger immediate response.
- •Notification: Affected customers are notified within 72 hours of confirmed data incidents, consistent with industry standards.
- •Post-mortem: Every P0/P1 incident results in a blameless post-mortem with root cause analysis and preventive actions.
🗄️Data Retention & Deletion
We retain your data only as long as needed to provide the service. Our retention policies are designed to minimize data exposure while maintaining audit trails.
Active Data
Inventory, requests, trades, and workspace data are retained while your account is active. All data is scoped by workspace via RLS.
Audit Logs
Webhook delivery logs, API access logs, and ingestion receipts are retained for 90 days, then automatically purged.
Account Deletion
Contact support@collectiqhq.com to request full account deletion. All workspace data is permanently removed within 30 days of request.
Backups
Database backups are encrypted and retained for 7 days via Supabase's managed backup service. Point-in-time recovery is available.