Security
Last updated: February 17, 2026
Your data security is paramount. We use industry-standard encryption, secure infrastructure, and privacy-by-design principles. Your stage plots never leave your device.
HTTPS/TLS Encrypted Storage SOC 2 Infrastructure GDPR Compliant
1. How We Protect Your Data
1.1 Transport Security
All data transmitted between your browser and our servers is protected using:
- HTTPS (TLS 1.2+): All connections use strong encryption protocols
- HSTS (HTTP Strict Transport Security): Forces secure connections
- Certificate pinning: Prevents man-in-the-middle attacks
- Secure headers: Content Security Policy (CSP), X-Frame-Options, etc.
1.2 Data Storage Security
Your application data (stage plots, input lists):
- Stored locally on your device in browser localStorage/IndexedDB
- Never transmitted to our servers unless you explicitly export
- Protected by browser same-origin policy
- Not accessible to other websites or applications
License and payment data:
- Stored in Supabase PostgreSQL with encryption at rest (AES-256)
- Protected by Row Level Security (RLS) policies
- Accessible only via authenticated service role
- Regular automated backups to secure locations
1.3 Payment Security
We use Stripe for payment processing. Stripe is a PCI DSS Level 1 certified payment processor (the highest security certification in the payments industry).
- We never see your credit card number
- All payment data is handled entirely by Stripe
- Stripe uses tokenization to protect your payment information
- 3D Secure (SCA) authentication for European cards
2. Infrastructure Security
2.1 Hosting and Infrastructure Providers
| Service | Provider | Security Certifications |
|---|---|---|
| Hosting | Vercel | SOC 2 Type II, GDPR compliant |
| Database | Supabase (AWS) | SOC 2 Type II, ISO 27001, GDPR compliant |
| Payment | Stripe | PCI DSS Level 1, SOC 1 & SOC 2 |
| Error Monitoring | Sentry | SOC 2 Type II, GDPR compliant |
2.2 Network Security
- DDoS protection: Cloudflare integration for attack mitigation
- Rate limiting: API endpoints have rate limits to prevent abuse
- Firewall rules: Database is not publicly accessible
- VPC isolation: Services run in isolated virtual networks
2.3 Access Control
- Production database access limited to service accounts only
- API keys and secrets stored in encrypted environment variables
- Two-factor authentication (2FA) required for all admin accounts
- Principle of least privilege for all system access
- Regular audit logs reviewed for suspicious activity
3. Application Security
3.1 License Verification
License keys are generated using cryptographic hashing:
- Deterministic generation: SHA-256 hash of email + session ID + secret
- Server-side verification: Keys cannot be forged client-side
- Rate limiting: Verification API has abuse protection
- Revocable: Keys can be deactivated if compromised
3.2 Content Security Policy (CSP)
We enforce strict CSP headers to prevent cross-site scripting (XSS) attacks:
- Scripts only from trusted sources
- No inline scripts (except with nonce)
- No eval() or unsafe JavaScript execution
- Frame embedding restricted to same-origin
3.3 Dependency Management
- Regular security audits of third-party dependencies
- Automated dependency updates via Dependabot
- Minimal dependencies to reduce attack surface
- Subresource Integrity (SRI) for CDN resources
4. Privacy-by-Design
4.1 Local-First Architecture
Our applications are built with privacy as the foundation:
- Zero server access to your work: Your stage plots never touch our servers
- Offline-capable: Apps work without internet once loaded
- No cloud sync (yet): Your data stays on your device
- Client-side only: All rendering and editing happens in your browser
4.2 Minimal Data Collection
We collect the absolute minimum data necessary:
- Email address (only if you purchase Pro or sign up for mailing list)
- Anonymized analytics (page views, device type)
- Error reports (only when bugs occur, no personal data)
- No location tracking
- No browsing history
- No cross-site tracking
See our Privacy Policy for full details.
5. Your Responsibilities
Security is a shared responsibility. Here's how you can protect your data:
5.1 Protect Your License Key
- Don't share your license key with others
- Don't post it publicly (GitHub, forums, etc.)
- If compromised, email us immediately for a replacement
5.2 Keep Backups
- Export important stage plots regularly
- Browser data can be lost if you clear cache or reinstall
- Use the export feature to save copies outside the browser
5.3 Use Secure Devices
- Keep your operating system and browser up to date
- Use antivirus/anti-malware software
- Avoid using public/shared computers for sensitive work
- Log out of shared devices after use
5.4 Recognize Phishing
- We will never ask for your license key via email
- All go·for·show domains end in
goforshow.io - Payment happens exclusively through Stripe's official checkout
- Suspicious emails? Forward to security@goforshow.io
6. Vulnerability Disclosure
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
6.1 How to Report
Email: security@goforshow.io
Please include:
- A description of the vulnerability
- Steps to reproduce the issue
- Potential impact (what an attacker could do)
- Any proof-of-concept code (if applicable)
- Your contact information
6.2 Our Commitment
- Response time: We'll acknowledge your report within 48 hours
- Investigation: We'll investigate and determine severity
- Fix timeline: Critical issues patched within 7 days, others within 30 days
- Disclosure: We'll coordinate public disclosure with you
- Credit: We'll publicly credit you (unless you prefer anonymity)
6.3 What NOT to Do
When testing for vulnerabilities, please:
- Don't access other users' data
- Don't perform denial-of-service attacks
- Don't publicly disclose the vulnerability before we've patched it
- Don't use automated scanners without permission
- Don't exploit the vulnerability beyond proof-of-concept
7. Data Breach Procedures
In the unlikely event of a data breach:
- Containment: Immediately isolate affected systems
- Assessment: Determine scope and severity within 24 hours
- Notification: Notify affected users within 72 hours (GDPR requirement)
- Remediation: Patch vulnerabilities and restore security
- Review: Conduct post-mortem and update security practices
We maintain cyber liability insurance to cover potential breach-related costs.
8. Compliance and Certifications
8.1 Regulations We Comply With
- GDPR: General Data Protection Regulation (EU)
- CCPA: California Consumer Privacy Act (California, USA)
- COPPA: Children's Online Privacy Protection Act (we don't target children under 13)
- PCI DSS: Payment Card Industry Data Security Standard (via Stripe)
8.2 Third-Party Security
We rely on trusted providers with strong security track records:
- All providers are SOC 2 Type II certified
- GDPR-compliant data processing agreements in place
- Regular security audits by independent third parties
- Incident response plans and 24/7 monitoring
9. General Security Practices
- Secure development lifecycle: Security review at every stage
- Regular penetration testing: Annual third-party security audits
- Incident response plan: Documented procedures for security events
- Employee training: Security awareness training for all team members
- Principle of least privilege: Minimal access rights for all accounts
- Defense in depth: Multiple layers of security controls
- Regular updates: Timely patching of security vulnerabilities
10. Questions or Concerns?
If you have security questions or concerns:
Security issues: security@goforshow.io
General inquiries: legal@goforshow.io
Support: support@goforshow.io
Operating as: go·for·show
Location: New York City, USA
Security is an ongoing process. We continuously monitor, update, and improve our security practices. This page is updated regularly to reflect our current security posture.
Last security audit: January 2026