Trust & security

Security, in specifics.

We are an early-stage platform handling real money, so we are precise about what we have built and honest about what we have not. Here is exactly how your account, your data, and your earnings are protected.

What runs underneath

Controls that are actually in the code.

Not a certification we do not hold. These are the protections that ship in the platform today.

Security overview

Passwordless sign-in

One-time codes, rate-limited, with lockout after repeated failures.

Strict account isolation

Every query is scoped to your account. Cross-account access is rejected.

Signed webhooks

HMAC-verified in and out, with protection against internal-network calls.

Integer-cents money

One commission per sale, idempotent, never stored as a float.

Audit log

Sensitive actions record who did what, and when.

Passwordless authentication

  • Sign in with one-time codes. There is no password to reuse or leak.
  • Codes expire in minutes and can be used once.
  • Repeated attempts are rate-limited and locked out.

API keys & credentials

  • API keys are stored only as hashes. The raw key is shown to you once.
  • Keys are scoped, and requests are rate-limited.

Strict account isolation

  • Every query is scoped to a single account.
  • One organization cannot read or write another organization data. Cross-account access is rejected.

Signed webhooks

  • Inbound and outbound webhooks are cryptographically signed and verified.
  • Outbound calls are guarded against server-side request forgery.
  • Failed deliveries retry and auto-disable a broken endpoint.

Money handled carefully

  • Commissions are calculated in integer cents, never floating point.
  • Each referred sale creates exactly one commission, even if a webhook retries.
  • Refunds claw back proportionally and cannot over-reverse.

Auditable & EU-hosted

  • Sensitive actions are written to an append-only audit log: who, what, and when.
  • Data in transit is encrypted with TLS. Infrastructure is hosted in the EU.

What we do not claim.

Transparency means being clear about the edges of what we have built.

We are an early-stage platform. We do not currently hold SOC 2, ISO 27001, or PCI certification.
Payment card details never touch our servers. Card handling is done by our payment processors, which are PCI-compliant.
We do not publish an uptime guarantee or SLA. When that changes, we will say so here.

Report a vulnerability.

Found something? We welcome good-faith security research and will not pursue action against researchers who report responsibly and avoid harming users or data.

security@earningit.co
Security - EarningIt