Trust

Security & Compliance

The concrete, honest measures we take — and the ones we have not claimed.

Encrypted transport

All traffic is served over HTTPS/TLS; the application is hosted on Netlify with platform-managed certificates.

Password hashing

Passwords are hashed with bcrypt and never stored or logged in plaintext.

Token-based auth

Sessions use a signed JWT in an httpOnly, SameSite cookie. In production the signing secret is mandatory — the app refuses to issue tokens without it.

Payment isolation

Card data is handled entirely by Stripe. Full card numbers never reach our servers or database.

Encrypted database

Data is stored in Neon Postgres with encryption at rest; access uses least-privilege credentials.

Minimal data

We collect only what the service needs: an email, a hashed password, subscription state and optional feedback.

Responsible disclosure

Found a vulnerability? Email security@trendnow.app with steps to reproduce. Please give us reasonable time to remediate before any public disclosure. We appreciate good-faith research.

An honest note on certifications

We do not currently claim formal certifications such as SOC 2 or ISO 27001. We describe only the controls we actually run. As the platform matures we will update this page rather than overstate our posture.