Security
Security
Authentication
Accounts are secured via Firebase Authentication. Passwords are never stored in plain text. We support email/password and Google sign-in. All sessions use short-lived ID tokens.
Transport
All traffic is encrypted in transit via TLS 1.2+. API routes enforce HTTPS.
Data isolation
Workspace data is scoped per workspace in Firestore. Users cannot access data outside their workspace. All API routes verify workspace membership before returning data.
Payments
Payment processing is handled by Paystack and Polar. We never see or store your card number. Webhook signatures are verified on every event.
Rate limiting
API endpoints are rate limited per IP and per user to prevent abuse. Webhook endpoints use Redis-backed deduplication to prevent replay attacks.
Reporting a vulnerability
If you discover a security issue, please disclose it responsibly by emailing security@sigmora.org. We will respond within 48 hours.