Security

Last updated: May 24, 2026

Security is foundational to a research platform. Here's how we protect your data.

Authentication

• Passwords hashed with bcrypt (cost 10).
• Sessions are signed JWTs in httpOnly, SameSite cookies, so no tokens are exposed to client JS.
• Two-factor auth and SSO (SAML) available on Enterprise.

Authorization

Every query is scoped to your workspace. API keys carry granular scopes (read / write / admin) and can be revoked instantly.

Data protection

• Encryption in transit (TLS 1.2+) and at rest.
• Survey respondents are anonymous; raw IPs are never stored.
• Every privileged action is recorded in an immutable audit log.

Compliance

GDPR, India DPDP Act, and CCPA aligned. SOC 2 Type II in progress. Data-subject export & deletion are self-serve.

Reporting a vulnerability

Email security@softstackresearch.com. We acknowledge within 24 hours and do not pursue good-faith researchers.