Security
Last updated: June 7, 2026
Security is a first-class concern at stndp. This page describes, in plain terms, how we protect your data. We apply security-by-design principles across the stack.
Data protection
- Your data is encrypted in transit (HTTPS everywhere, modern TLS) and at rest.
- We will never access your data without your permission, except where strictly necessary to operate the service or as required by law.
- Passwords are salted and hashed — we never store them in plain text — and payment details are handled entirely by Dodo Payments, so we never see or store card data.
- Your content stays portable: export it any time, and delete your account and data on demand.
Access controls
- Only authorized personnel can access production systems, on a least-privilege, need-to-know basis.
- Administrative access requires multi-factor authentication (MFA).
- Application secrets and credentials are stored in a managed secrets vault and injected at runtime — never committed to source control.
- The CLI and API authenticate with short-lived, scoped tokens that expire.
Infrastructure security
stndp runs on managed infrastructure on Amazon Web Services (AWS), including a managed database. Network access is restricted by default, traffic is served over HTTPS only, and we rely on AWS-managed, regularly patched services rather than servers we maintain by hand. We apply standard application hardening — CSRF protection, secure cookies, and security headers.
Backups & availability
Our database uses AWS-managed automated backups with encryption. We are an early-stage service and do not yet offer a formal uptime SLA (see our Terms of Service). If a security incident occurs, we follow an internal incident-response process and will notify affected users without undue delay where required.
Vulnerability disclosure
We welcome reports from security researchers. If you believe you've found a vulnerability:
- Email support@stndp.io with details and steps to reproduce.
- Give us a reasonable chance to investigate and fix the issue before public disclosure.
- Do not access, modify, or delete data that isn't yours, and avoid privacy violations or service disruption while testing.
Acting in good faith under this guidance, we will not pursue legal action against you. We aim to acknowledge reports promptly and keep you updated on remediation.