Security

Encryption

All traffic to our website, dashboard, and API is encrypted in transit using TLS. Data stored in our databases is encrypted at rest by our infrastructure providers.

Credentials and API keys

Account passwords and API keys are stored only as salted, hashed values using a strong key-derivation function (scrypt). We never store API keys in plain text, which means we cannot show you a key again after it is created.

If a key is lost or exposed, rotate it from the dashboard; the old key is invalidated immediately.

Infrastructure

Wherabouts runs on managed, reputable providers, including Neon for PostgreSQL database hosting and Cloudflare for edge delivery and compute. We apply least-privilege access controls and isolate production systems.

Authentication and access

The dashboard is protected by session-based authentication, and the API is authenticated with scoped API keys. Internal access to production data is limited to the people who need it and is logged.

Payments

Payments are processed by Stripe, a PCI-DSS Level 1 certified provider. We do not store full payment card details on our systems.

Monitoring and resilience

We log API activity, enforce rate limits, and monitor for abuse. Our database provider maintains backups to support recovery in the event of an incident.

Responsible disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability, email security@wherabouts.com with details and steps to reproduce.

Please give us a reasonable opportunity to investigate and remediate before any public disclosure. We will not pursue legal action against researchers acting in good faith and within the scope of this policy.

Your responsibilities

Keep your API keys secret and rotate them if you suspect exposure. Use separate, scoped keys per project, restrict who can access your Wherabouts account, and secure the systems that call our API.

Contact us

For security questions or reports, contact security@wherabouts.com.