Security — StampWise

We take the security of merchant and customer data seriously. This page summarizes the controls we have in place.

Infrastructure

Hosted on enterprise-grade cloud infrastructure with redundant data centers
Edge runtime with global TLS termination
Automated daily database backups with point-in-time recovery

Data protection

TLS 1.2+ for all data in transit
AES-256 encryption at rest for database storage
Passwords hashed with bcrypt; we never store plaintext credentials
Row-level security policies enforce per-merchant data isolation

Access control

Role-based access for the StampWise team, scoped to least privilege
Two-factor authentication required for administrative access
Audit logging of sensitive administrative actions

Application security

Input validation on all server functions and public endpoints
Signed webhooks with constant-time signature verification
Rate limiting on authentication and scanning endpoints
Automated dependency vulnerability scanning
Referral fraud prevention: unique email and phone, monthly caps, and stamp-gated bonus unlocks

Payments

Payments are processed by a PCI-DSS Level 1 certified provider. StampWise never stores full card numbers or CVCs.

Responsible disclosure

If you believe you have found a security vulnerability, please report it to security@stampitnow.com. We commit to acknowledging reports within 3 business days and to working with researchers in good faith. Please do not publicly disclose issues before we have had a reasonable opportunity to respond.

Incident response

In the event of a security incident affecting customer data, we will notify affected Merchants without undue delay and in accordance with applicable law.