Encryption in Transit
All connections use TLS 1.2 or higher. HTTP requests are automatically redirected to HTTPS.
Encryption at Rest
Database and backup data is encrypted using AES-256. Disk encryption is enabled on all servers.
Password Security
Passwords are hashed with bcrypt (cost factor 12). We never store plaintext passwords.
Infrastructure
Hosted on AWS with VPC isolation, restricted security groups, and automated security patching.
Authentication
RewardGuard uses JWT tokens for account authentication with short-lived access tokens (1 hour) and long-lived refresh tokens (30 days). License keys are generated using cryptographically secure random byte generation.
Payment Security
All payments are handled by Stripe, a PCI DSS Level 1 certified payment processor. RewardGuard never sees, stores, or transmits card numbers. Stripe handles all cardholder data directly.
Access Controls
- Production database is not publicly accessible — only reachable from within the private VPC
- Server access requires SSH key authentication (password login disabled)
- Admin actions are logged with timestamp and IP address
- Backend endpoints are rate-limited to prevent brute force attacks
Dependency Management
We regularly audit our Python dependencies for known vulnerabilities using automated scanning. Critical security updates are applied within 24 hours of disclosure.
Reporting a Vulnerability
We take security reports seriously. If you discover a vulnerability in RewardGuard, please disclose it responsibly:
📧 Email us at security@rewardguard.dev with a description of the issue. Please do not publicly disclose vulnerabilities before we have had a chance to address them. We aim to respond within 48 hours and resolve critical issues within 7 days.
Bug Bounty
We currently do not operate a formal bug bounty program, but we gratefully acknowledge researchers who report valid security issues responsibly. Contact us to discuss recognition.