Security
Your production data — orders, customer details, invoices, artwork — is business-critical. Below is a plain account of how damantra is secured, what infrastructure it runs on, and how to report a vulnerability.
Quick answers
- damantra does not store card details.
- Payments are processed through Stripe-hosted checkout.
- Where Stripe Connect is enabled, payments are made to the merchant's connected Stripe account.
- Each organisation's data is separated using database row-level security.
- Team access is role-based.
- Customer portals only show records shared with that customer.
- Security issues can be reported to contact@damantra.app.
Infrastructure
damantra runs on managed infrastructure with strong published security programmes:
- Vercel — application hosting and global CDN. SOC 2 Type II certified. All requests served over TLS 1.2+.
- Supabase — managed Postgres database and authentication. SOC 2 Type II certified. Data stored in EU regions. Encrypted at rest (AES-256) and in transit (TLS 1.2+).
- Stripe— payment processing. Customers enter card details on Stripe's own hosted checkout, never inside damantra. See Payments below.
- Resend — delivery of transactional email such as quotes, invoices, and notifications.
We do not run our own database servers or manage our own certificates. These responsibilities are handled by infrastructure partners operating under recognised compliance frameworks.
Data isolation
Every organisation's data is isolated at the database layer using row-level security (RLS). An authenticated user in one organisation cannot access another organisation's records — this is enforced at the database query level, not only at the application layer.
Customer portal users can only see records explicitly shared with them. Internal notes, cost data, and other organisations' records are never exposed.
Payments
When a customer pays an invoice or accepts a quote, they pay through Stripe-hosted checkout. Card details are entered on Stripe's own secure page — never inside damantra.
damantra does not store card numbers, CVCs, or raw card details. Where Stripe Connect is enabled, payments are processed for the merchant's connected Stripe account.
damantra records the payment status and the related quote, order, or invoice reference so your workflows update correctly. Refunds, disputes, and payouts are handled through the merchant's Stripe account where applicable.
Authentication
damantra uses Supabase Auth for identity management:
- Passwords are hashed using bcrypt and never stored in plaintext.
- Magic link authentication sends a time-limited, single-use token to your email. Links expire automatically.
- Sessions expire after a period of inactivity. Tokens are rotated on each use.
- Team members are added by invitation only — there is no self-registration into an existing organisation.
Encryption
All business data is encrypted at rest using AES-256. All data in transit between your browser and our servers is encrypted using TLS 1.2 or higher. We do not support older TLS versions.
Access controls
Access to production systems is restricted to named team members with a documented need. We do not grant broad access to contractors or third parties. Access is reviewed periodically and revoked immediately when no longer needed.
Backups
damantra's production database is protected by Supabase-managed daily backups with 7-day retention. Backup and recovery settings are reviewed as part of production operations.
Responsible disclosure
If you discover a security vulnerability in damantra, please report it to us before disclosing publicly. We ask for a reasonable window to investigate and remediate.
Report to: contact@damantra.app with “Security Disclosure” in the subject. We will acknowledge within 2 business days.
We do not pursue legal action against researchers acting in good faith.
Questions
For security questions outside of vulnerability reports: contact@damantra.app.