/ SECURITY

Security at ResetUI

How we protect your data, what infrastructure we run on, and how to report a vulnerability. We believe transparency here builds trust.

Last reviewed: April 20, 2026
01

Our Commitment

Security is not a checkbox at Infynite Labs — it shapes every architectural decision we make. We handle your project data, authentication tokens, and payment information, so we hold ourselves to a high standard.

This page documents our current security posture. If you're a security researcher and notice something we've missed, please see the Vulnerability Disclosure section below.

02

Data Encryption

In Transit

  • All traffic encrypted with TLS 1.2+ (TLS 1.3 preferred)
  • HTTPS enforced site-wide with HSTS preloading
  • API endpoints reject unencrypted connections
  • Vercel Edge Network handles TLS termination globally

At Rest

  • Database encrypted at rest using AES-256 (managed by Supabase)
  • Backup snapshots encrypted with the same standard
  • Sensitive configuration (API keys, secrets) stored in encrypted environment variables
  • No payment card data stored — Dodo Payments handles all PCI-scoped data
03

Authentication & Session Management

Authentication is handled entirely by Kinde, a purpose-built auth provider. We do not store passwords.

  • OAuth 2.0 sign-in via Google and GitHub — no password storage on our end.
  • Short-lived session tokens with automatic rotation on re-authentication.
  • CSRF protection on all state-changing API endpoints.
  • All authenticated API routes verify the session server-side before processing any request.
  • Session tokens are HttpOnly cookies — inaccessible to JavaScript running on the page.
04

Payment Security

All payment processing is handled by Dodo Payments, a PCI DSS compliant payment processor. Your card data never touches our servers.

  • We never see, store, or transmit raw card numbers.
  • Checkout and card entry happen in Dodo Payments-hosted elements — your card data never touches our servers.
  • Billing records (plan, amount, timestamps) are stored in our database but contain no sensitive payment data.
  • Dodo Payments handles all chargebacks, refund processing, and PCI scope.
05

Infrastructure

ResetUI runs on infrastructure from providers with strong security certifications.

ProviderRoleCertifications
VercelApplication hosting, Edge Network, CDNSOC 2 Type II, ISO 27001
SupabasePostgreSQL databaseSOC 2 Type II
KindeAuthenticationSOC 2 Type II
Dodo PaymentsPaymentsPCI DSS compliant
InngestBackground job orchestrationSOC 2 Type II
AnthropicAI inference (Claude)SOC 2 Type II
OpenAIAI inference (GPT models)SOC 2 Type II
ResendTransactional emailSOC 2 Type II
06

Access Controls

  • Principle of least privilege: team members have access only to systems required for their role.
  • Production database access is restricted and requires VPN + MFA.
  • All internal access is logged and reviewed.
  • Third-party integrations use scoped API keys — no service receives broader permissions than it needs.
  • Environment secrets are rotated regularly and stored encrypted.
07

API Security

  • All API routes require valid server-side session verification — no client-side trust.
  • Rate limiting is enforced on all AI routes (20 requests/minute per user) and project creation (10/hour) to prevent abuse.
  • Payload size limits are enforced on all upload endpoints (16 MB per image, 25 MB aggregate).
  • SQL queries use parameterised statements via Prisma ORM — no raw string concatenation.
  • User-submitted content is never executed server-side.
08

Vulnerability Disclosure

We operate a responsible disclosure programme. If you find a security vulnerability inResetUI, we want to hear from you — and we commit to responding promptly and fairly.

Report a vulnerability

security@resetui.com

We aim to acknowledge reports within 48 hours and provide a timeline for a fix within 7 days.

Our commitments to you

  • We will not take legal action against researchers who follow responsible disclosure.
  • We will acknowledge your report and keep you informed as we work on a fix.
  • We will credit you in the relevant changelog entry if you wish.

Please do not

  • Perform automated scanning against production systems.
  • Access or modify other users' data.
  • Disclose vulnerabilities publicly before we have had a chance to address them.
09

Incident Response

In the event of a security incident affecting your data, we will:

  • Notify affected users by email within 72 hours of confirming the breach.
  • Describe what data was affected, how, and what we are doing to address it.
  • Provide guidance on steps you can take to protect yourself.
  • File required regulatory notifications (e.g. GDPR supervisory authority) where applicable.
10

Contact

Security questions or concerns? Reach our security team directly:

Security issues

security@resetui.com

General support

support@resetui.com

Last reviewed: April 20, 2026