ACCESS

Security

Your data is protected at every layer.

ACCESS is built on infrastructure that meets enterprise-grade security standards. Here's exactly what protects your workspace.

TLS 1.2+

All traffic encrypted in transit

AES-256

Data encrypted at rest

PCI-DSS

Payment data via Stripe

SOC 2

Auth via Clerk (SOC 2 Type II)

HTTPS Only

HSTS enforced via Vercel

NACHA

ACH governed by federal rules

Infrastructure security

  • All platform traffic encrypted with TLS 1.2+ via Vercel Edge Network
  • Strict-Transport-Security (HSTS) enforced with max-age 63,072,000 seconds
  • HTTP security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
  • Data stored in Supabase with AES-256 encryption at rest
  • Database connections use SSL-enforced certificates
  • Vercel Edge Functions run in isolated execution environments

Authentication and identity

  • Authentication powered by Clerk (SOC 2 Type II certified)
  • Support for multi-factor authentication (MFA) via TOTP and SMS
  • Session tokens are short-lived and rotated on sensitive operations
  • OAuth 2.0 flows for social sign-in (Google) with PKCE protection
  • Passwords are hashed using bcrypt with a minimum cost factor of 12
  • Account lockout after repeated failed authentication attempts

Payment security

  • All payment processing handled by Stripe, Inc. (PCI-DSS Level 1 certified)
  • We never store full card numbers, CVVs, or bank account numbers
  • Only Stripe Customer IDs and payment method references are stored
  • ACH transactions governed by NACHA Operating Rules
  • Stripe uses TLS 1.2+ for all payment API calls
  • 3D Secure authentication available for card payments on high-risk transactions

Application security

  • Clickjacking protection via X-Frame-Options: SAMEORIGIN header
  • MIME type sniffing prevented via X-Content-Type-Options: nosniff
  • All user input sanitized and parameterized to prevent SQL injection
  • Server Actions use CSRF-safe patterns via Next.js App Router
  • API routes validate authentication on every request
  • Admin routes protected by additional role verification

Data privacy and breach response

  • Data stored in the United States across all providers
  • No personal data sold to third parties — ever
  • Florida residents notified within 30 days of a discovered breach (FIPA)
  • Georgia residents notified without unreasonable delay (O.C.G.A. § 10-1-912)
  • Data deletion is permanent and irreversible upon account closure (90-day window)
  • Billing records retained 7 years per tax law; all other data deleted on request

Responsible disclosure

If you discover a security vulnerability in ACCESS, please report it to us responsibly before public disclosure. We take all security reports seriously and will respond within 72 hours.

Email: support@jdwhite.worldwith the subject line "Security Report". Please include a description of the vulnerability, steps to reproduce, and potential impact.