Legal

Security

How we protect your data and payments

Payment security

All payments are processed through Stripe, a PCI DSS Level 1 certified payment processor. Card numbers never touch our servers. Stripe handles all sensitive payment data storage, tokenization, and processing.

Data encryption

All data in transit is encrypted using TLS 1.2+ (HTTPS). We enforce HSTS and Content Security Policy headers.

Bot protection

Sensitive forms are protected by Cloudflare Turnstile, an invisible CAPTCHA that blocks automated abuse without disrupting real users. All API endpoints are rate-limited to prevent brute force attacks.

Input validation

All user input is validated with Zod schemas and sanitized on both client and server to prevent XSS, SQL injection, and other common attack vectors.

Audit logging

Every sponsorship payment, team change, data export, and configuration update is recorded in an immutable audit log with timestamps and IP addresses.

Access controls

Team organizers can only access their own team data. Authentication uses secure, HTTP-only session tokens. We support Google OAuth and magic link authentication — no passwords stored.

Infrastructure

SponsorTh.is is deployed on Vercel's edge network with automatic HTTPS, DDoS protection, and global CDN distribution. Images and assets are stored on Cloudflare R2.

Reporting vulnerabilities

Report security issues to security@sponsorth.is.