Trust & security
Security, in specifics.
We are an early-stage platform handling real money, so we are precise about what we have built and honest about what we have not. Here is exactly how your account, your data, and your earnings are protected.
What runs underneath
Controls that are actually in the code.
Not a certification we do not hold. These are the protections that ship in the platform today.
Passwordless sign-in
One-time codes, rate-limited, with lockout after repeated failures.
Strict account isolation
Every query is scoped to your account. Cross-account access is rejected.
Signed webhooks
HMAC-verified in and out, with protection against internal-network calls.
Integer-cents money
One commission per sale, idempotent, never stored as a float.
Audit log
Sensitive actions record who did what, and when.
Passwordless authentication
- Sign in with one-time codes. There is no password to reuse or leak.
- Codes expire in minutes and can be used once.
- Repeated attempts are rate-limited and locked out.
API keys & credentials
- API keys are stored only as hashes. The raw key is shown to you once.
- Keys are scoped, and requests are rate-limited.
Strict account isolation
- Every query is scoped to a single account.
- One organization cannot read or write another organization data. Cross-account access is rejected.
Signed webhooks
- Inbound and outbound webhooks are cryptographically signed and verified.
- Outbound calls are guarded against server-side request forgery.
- Failed deliveries retry and auto-disable a broken endpoint.
Money handled carefully
- Commissions are calculated in integer cents, never floating point.
- Each referred sale creates exactly one commission, even if a webhook retries.
- Refunds claw back proportionally and cannot over-reverse.
Auditable & EU-hosted
- Sensitive actions are written to an append-only audit log: who, what, and when.
- Data in transit is encrypted with TLS. Infrastructure is hosted in the EU.
What we do not claim.
Transparency means being clear about the edges of what we have built.
Report a vulnerability.
Found something? We welcome good-faith security research and will not pursue action against researchers who report responsibly and avoid harming users or data.
security@earningit.co