Buttr

Buttr

← Back to Buttr

Security

Security is a core part of how we build and operate Buttr. Here’s an overview of the technical and organizational measures we have in place.

Encryption in Transit

All communications between your browser and our servers are encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and redirect HTTP requests automatically.

Encryption at Rest

User data stored in our Supabase PostgreSQL database is encrypted at the storage layer using AES-256. Sensitive fields including payment metadata are additionally hashed.

Authentication & Access Control

We use NextAuth with bcrypt-hashed credentials and support OAuth 2.0 providers. Role-based access control (RBAC) enforces tiered access to features based on subscription level.

Least-Privilege Architecture

Internal services operate with the minimum permissions required. Database row-level security (RLS) policies are enforced at the Supabase layer, isolating user data by account.

Infrastructure

  • Hosted on Vercel’s edge network with automatic DDoS mitigation
  • Database hosted on Supabase with automated backups and point-in-time recovery
  • Payment processing handled exclusively by Stripe — we never store raw card data
  • Environment secrets managed via encrypted environment variables, never exposed client-side
  • Dependencies regularly audited and updated using automated tooling

Account Security Best Practices

We recommend all users:

  • Use a strong, unique password for your Buttr account
  • Sign in via OAuth (Google) for enhanced security
  • Never share your account credentials with others
  • Log out from shared or public devices after use
  • Contact us immediately if you suspect unauthorized access

Responsible Disclosure

Found a vulnerability?

We take security vulnerabilities seriously and appreciate responsible disclosure. If you discover a security issue, please report it privately to security@itsbuttr.com before disclosing publicly. Include a description of the issue, steps to reproduce it, and any relevant proof-of-concept. We aim to acknowledge reports within 48 hours and will keep you informed as we work toward a resolution.

Compliance

Buttr is designed to be compliant with commonly accepted data protection principles, including those outlined in the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) where applicable. Please review our Privacy Policy for details on how we handle personal data.

Privacy PolicyTerms of ServiceCookie PolicyAcceptable Use