Real claims, not marketing fluff. Every statement below has a verifiable third-party source. If you find anything you can't verify, email security@nexoraaero.com.
Every byte that leaves your browser is encrypted in flight. Every byte we store is encrypted at rest by our infrastructure provider.
HTTPS everywhere with HSTS. SSL Labs A grade. Verifiable at ssllabs.com.
Independently verifiableDatabase storage encrypted by Supabase (AWS RDS encryption). Backups encrypted with separate keys.
Provider-attestedCards go directly from your browser to Stripe/Razorpay. We literally never see them, can't see them, can't leak them.
Architecture guaranteeEvery payment runs through a PCI-DSS Level 1 certified processor. We see an order ID, an amount, and a verified signature — never the card number, CVV, or expiry.
PCI-DSS Service Provider Level 1 (highest tier). Stripe handles all card data. We get a webhook + verified signature.
stripe.com/docs/securityPCI-DSS L1 + RBI-licensed payment aggregator. Backend signature verification via Supabase Edge Function (HMAC-SHA256).
razorpay.com/securityFunds hold in escrow until you accept delivery. If the seller never delivers, you get a full refund — no questions.
14-day windowPasswords are hashed with bcrypt (never stored in plain text). Sessions use signed JWTs. OAuth via Google/GitHub if you'd rather not have another password.
Cost factor 10. Passwords cannot be reversed even by us. We can reset, not retrieve.
Skip the password entirely. We get only your email and name — never a token, never your password.
Supabase RLS policies enforce that you can only read/write your own records — even if a query bypasses the app.
Honest list. Every third party we use, what they do, and where to verify their security posture.
We won't pretend to hold certifications we don't. Here's the full truth — including the things we're working on.
| Standard | Status | Notes |
|---|---|---|
| HTTPS / TLS 1.3 | Live | Enforced site-wide via HSTS |
| PCI-DSS | Inherited | Stripe + Razorpay are L1. We use SAQ-A scope (no card data ever touches us) |
| GDPR | Aligned | Privacy policy + cookie banner + data-export endpoint. Not formally audited |
| CCPA | Aligned | Right to delete + data export available on request via privacy@nexoraaero.com |
| SOC 2 Type II | Not yet | Our sub-processors (Supabase, Stripe) hold SOC 2. We plan to pursue this at $100K+ MRR |
| ISO 27001 | Not yet | Inherited from Supabase. Direct certification planned post-Series A |
| HIPAA | Not applicable | We don't process health data |
It's tempting to slap a "SOC 2 Certified" badge on the homepage. We won't — because we aren't, and you deserve to know what's real vs. what's been outsourced to a more mature provider. Everything above is verifiable from the linked sources.
If you discover a vulnerability, please email security@nexoraaero.com with reproduction steps. We respond within 24 hours, fix critical issues within 7 days, and publicly credit researchers (with consent) in our security changelog.
Our promise: We will not pursue legal action against good-faith researchers who follow responsible disclosure. PGP key available on request.
We hope you never need this section. If we ever have a confirmed data breach affecting your data, here's exactly what happens.
Email notification to every affected user with: what was accessed, when, by whom (if known), and recommended actions.
Published at /security-changelog within 30 days. Includes timeline, root cause, fixes, and process changes.
If the breach involves payment data (it shouldn't — see above), we cover 12 months of credit monitoring.
We answer security questions personally. No bots, no canned responses.