Platform Security

• JSON Web Token (JWT) authentication — access tokens expire after 15 minutes
• Refresh tokens (7-day lifetime) stored in HttpOnly, SameSite=Strict cookies — never in localStorage
• Single-session enforcement: logging in on a new device revokes all previous sessions
• Token rotation on every refresh — stolen tokens are invalidated immediately
• Token reuse detection: if a refresh token is used twice, the entire token family is revoked
• Step-up authentication required for sensitive admin actions (2FA re-verification)
• Optional two-factor authentication (TOTP) for all accounts
• Rate limiting on login (10 attempts per 15 minutes) and registration (3 per hour)

• All traffic encrypted with TLS 1.2+ (HTTPS enforced; HTTP redirected)
• Passwords hashed with bcrypt — plaintext passwords are never stored anywhere
• Database encryption at rest for all user and transaction data
• Payment card data handled entirely by Stripe — we are PCI DSS compliant by design
• All uploaded documents (images, proof of purchase) stored in AWS S3 with server-side encryption (AES-256)
• Escrow funds processed through Stripe Connect — segregated from GoFindPart operating accounts
• Production database access restricted to application services only — no direct developer access

• Application hosted on Render's managed cloud infrastructure (zero root access from GoFindPart)
• Automated dependency vulnerability scanning on every pull request
• Docker container images rebuilt from scratch on every deployment — no persistent container state
• Redis cache (Upstash) with TLS and password authentication; no plaintext connections
• Security headers enforced on all responses: HSTS, X-Frame-Options, CSP, X-Content-Type-Options
• CSRF protection via Origin header validation — cross-site requests are rejected
• Structured request logging with Pino 10 — anomalous patterns trigger automated alerts via Sentry

• All input validated with Zod schemas before processing — invalid payloads are rejected early
• Role-based access control enforced on every authenticated route (buyer, seller, admin)
• API responses serialised through DTO mappers — raw database models are never returned
• Kill-switch system: any platform feature can be disabled by admins without a deployment
• Idempotency keys on all admin write operations — duplicate requests are safely rejected
• Content Security Policy configured per surface (marketing, app, admin) — Stripe frames blocked on non-payment pages

• Pickup orders require a signed QR code to be scanned by both parties at handoff
• QR verification codes are single-use and expire after the transaction window
• Delivery confirmation timestamps stored as immutable audit records
• Escrow release triggered only after a confirmed delivery event — never on seller-only actions

• Email security@gofindpart.com with a detailed description of the vulnerability
• Please do not disclose the vulnerability publicly until we have had a chance to address it
• Include steps to reproduce, potential impact, and your contact details
• We will acknowledge receipt within 24 hours and provide a timeline for resolution

security@gofindpart.com