Security

Last updated: February 17, 2026

HTTPS/TLS Encrypted Storage SOC 2 Infrastructure GDPR Compliant

1. How We Protect Your Data

1.1 Transport Security

All data transmitted between your browser and our servers is protected using:

• HTTPS (TLS 1.2+): All connections use strong encryption protocols
• HSTS (HTTP Strict Transport Security): Forces secure connections
• Certificate pinning: Prevents man-in-the-middle attacks
• Secure headers: Content Security Policy (CSP), X-Frame-Options, etc.

1.2 Data Storage Security

Your application data (stage plots, input lists):

• Stored locally on your device in browser localStorage/IndexedDB
• Never transmitted to our servers unless you explicitly export
• Protected by browser same-origin policy
• Not accessible to other websites or applications

License and payment data:

• Stored in Supabase PostgreSQL with encryption at rest (AES-256)
• Protected by Row Level Security (RLS) policies
• Accessible only via authenticated service role
• Regular automated backups to secure locations

1.3 Payment Security

We use Stripe for payment processing. Stripe is a PCI DSS Level 1 certified payment processor (the highest security certification in the payments industry).

• We never see your credit card number
• All payment data is handled entirely by Stripe
• Stripe uses tokenization to protect your payment information
• 3D Secure (SCA) authentication for European cards

2. Infrastructure Security

2.1 Hosting and Infrastructure Providers

Service	Provider	Security Certifications
Hosting	Vercel	SOC 2 Type II, GDPR compliant
Database	Supabase (AWS)	SOC 2 Type II, ISO 27001, GDPR compliant
Payment	Stripe	PCI DSS Level 1, SOC 1 & SOC 2
Error Monitoring	Sentry	SOC 2 Type II, GDPR compliant

2.2 Network Security

• DDoS protection: Cloudflare integration for attack mitigation
• Rate limiting: API endpoints have rate limits to prevent abuse
• Firewall rules: Database is not publicly accessible
• VPC isolation: Services run in isolated virtual networks

2.3 Access Control

• Production database access limited to service accounts only
• API keys and secrets stored in encrypted environment variables
• Two-factor authentication (2FA) required for all admin accounts
• Principle of least privilege for all system access
• Regular audit logs reviewed for suspicious activity

3. Application Security

3.1 License Verification

License keys are generated using cryptographic hashing:

• Deterministic generation: SHA-256 hash of email + session ID + secret
• Server-side verification: Keys cannot be forged client-side
• Rate limiting: Verification API has abuse protection
• Revocable: Keys can be deactivated if compromised

3.2 Content Security Policy (CSP)

We enforce strict CSP headers to prevent cross-site scripting (XSS) attacks:

• Scripts only from trusted sources
• No inline scripts (except with nonce)
• No eval() or unsafe JavaScript execution
• Frame embedding restricted to same-origin

3.3 Dependency Management

• Regular security audits of third-party dependencies
• Automated dependency updates via Dependabot
• Minimal dependencies to reduce attack surface
• Subresource Integrity (SRI) for CDN resources

4. Privacy-by-Design

4.1 Local-First Architecture

Our applications are built with privacy as the foundation:

• Zero server access to your work: Your stage plots never touch our servers
• Offline-capable: Apps work without internet once loaded
• No cloud sync (yet): Your data stays on your device
• Client-side only: All rendering and editing happens in your browser

4.2 Minimal Data Collection

We collect the absolute minimum data necessary:

• Email address (only if you purchase Pro or sign up for mailing list)
• Anonymized analytics (page views, device type)
• Error reports (only when bugs occur, no personal data)
• No location tracking
• No browsing history
• No cross-site tracking

See our Privacy Policy for full details.

5. Your Responsibilities

Security is a shared responsibility. Here's how you can protect your data:

5.1 Protect Your License Key

• Don't share your license key with others
• Don't post it publicly (GitHub, forums, etc.)
• If compromised, email us immediately for a replacement

5.2 Keep Backups

• Export important stage plots regularly
• Browser data can be lost if you clear cache or reinstall
• Use the export feature to save copies outside the browser

5.3 Use Secure Devices

• Keep your operating system and browser up to date
• Use antivirus/anti-malware software
• Avoid using public/shared computers for sensitive work
• Log out of shared devices after use

5.4 Recognize Phishing

• We will never ask for your license key via email
• All go·for·show domains end in goforshow.io
• Payment happens exclusively through Stripe's official checkout
• Suspicious emails? Forward to security@goforshow.io

6. Vulnerability Disclosure

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

6.1 How to Report

Email: security@goforshow.io

Please include:

• A description of the vulnerability
• Steps to reproduce the issue
• Potential impact (what an attacker could do)
• Any proof-of-concept code (if applicable)
• Your contact information

6.2 Our Commitment

• Response time: We'll acknowledge your report within 48 hours
• Investigation: We'll investigate and determine severity
• Fix timeline: Critical issues patched within 7 days, others within 30 days
• Disclosure: We'll coordinate public disclosure with you
• Credit: We'll publicly credit you (unless you prefer anonymity)

6.3 What NOT to Do

When testing for vulnerabilities, please:

• Don't access other users' data
• Don't perform denial-of-service attacks
• Don't publicly disclose the vulnerability before we've patched it
• Don't use automated scanners without permission
• Don't exploit the vulnerability beyond proof-of-concept

7. Data Breach Procedures

In the unlikely event of a data breach:

1. Containment: Immediately isolate affected systems
2. Assessment: Determine scope and severity within 24 hours
3. Notification: Notify affected users within 72 hours (GDPR requirement)
4. Remediation: Patch vulnerabilities and restore security
5. Review: Conduct post-mortem and update security practices

We maintain cyber liability insurance to cover potential breach-related costs.

8. Compliance and Certifications

8.1 Regulations We Comply With

• GDPR: General Data Protection Regulation (EU)
• CCPA: California Consumer Privacy Act (California, USA)
• COPPA: Children's Online Privacy Protection Act (we don't target children under 13)
• PCI DSS: Payment Card Industry Data Security Standard (via Stripe)

8.2 Third-Party Security

We rely on trusted providers with strong security track records:

• All providers are SOC 2 Type II certified
• GDPR-compliant data processing agreements in place
• Regular security audits by independent third parties
• Incident response plans and 24/7 monitoring

9. Enterprise Security — back·line

back·line is purpose-built for enterprise production companies, rental houses, and touring operations that require the highest security standards for equipment inventory management.

9.1 Hardened Security Headers

back·line routes enforce additional security policies beyond the site-wide defaults:

• Tightened Content Security Policy: Reduced allowlist — only domains required for app functionality (Supabase, Sentry, Analytics). No third-party payment or marketing scripts.
• Cross-Origin-Opener-Policy: same-origin — prevents Spectre-class cross-origin data leaks
• Cross-Origin-Resource-Policy: same-origin — prevents resource theft via cross-origin requests
• Restricted CORS: API access limited to www.goforshow.io only

9.2 Data Architecture

• Offline-first: Equipment data stored locally in IndexedDB using Dexie.js, encrypted by browser same-origin policy
• Sync layer: Supabase PostgreSQL with Row Level Security (RLS) — users can only access their own organization's data
• No data commingling: Tenant isolation enforced at the database level via RLS policies
• Encryption at rest: AES-256 for all server-side data in Supabase (AWS-managed keys)
• Encryption in transit: TLS 1.2+ with HSTS preload for all connections

9.3 Access Controls

• Role-based access: Multi-user access with configurable permissions per organization
• Service role isolation: Backend operations use scoped service keys, not admin keys
• Camera permissions: QR scanning requires explicit user consent; camera access is limited to self origin only
• Session management: Supabase Auth with JWT tokens, automatic token refresh, secure httpOnly cookies where applicable

9.4 Audit & Compliance Readiness

• Audit trail: All data mutations logged with timestamps and user identity
• SOC 2 Type II infrastructure chain: Vercel (hosting), Supabase (database), Sentry (monitoring) — all independently certified
• Data residency: Primary data region is US-East (AWS). Contact us for EU data residency requirements.
• Data portability: Full data export available in standard formats (CSV, JSON)
• Data deletion: Right to erasure honored within 30 days upon request
• Business continuity: Automated database backups with point-in-time recovery

9.5 Enterprise Contact

For enterprise security questionnaires, vendor assessments, or custom compliance requirements:

Email: security@goforshow.io
Response SLA: 48 hours for security inquiries, 24 hours for active incidents

10. General Security Practices

• Secure development lifecycle: Security review at every stage
• Regular penetration testing: Annual third-party security audits
• Incident response plan: Documented procedures for security events
• Employee training: Security awareness training for all team members
• Principle of least privilege: Minimal access rights for all accounts
• Defense in depth: Multiple layers of security controls
• Regular updates: Timely patching of security vulnerabilities

11. Questions or Concerns?

If you have security questions or concerns:

Security issues: security@goforshow.io
General inquiries: legal@goforshow.io
Support: support@goforshow.io

Operating as: go·for·show
Location: New York City, USA