Security at Subscriply
Built for enterprise SaaS from the ground up. Multi-tenant isolation, RBAC, JWT auth, and runtime protection.
Multi-Tenant Isolation
Complete data isolation per organisation. Every database query is scoped to the authenticated tenant. It is architecturally impossible for one tenant to access another's data.
JWT Authentication
All API requests require a valid JWT Bearer token. Tokens expire and must be refreshed. Compromised tokens can be invalidated server-side.
Role-Based Access Control
11 modules, 4 actions each (view, create, edit, delete). Every API route enforces both role-level and module-permission checks. Principle of least privilege by default.
DevTools Protection
Runtime security overlay detects DevTools access in production and applies protective measures. Source maps are not exposed in production builds.
Transport & Storage Security
All data is encrypted in transit (TLS 1.3) and at rest. Security headers enforced: X-Frame-Options, X-Content-Type-Options, HSTS, CSP.
Audit Trail
Every subscription change is logged with user, timestamp, and diff. Complete audit trail available for compliance and incident investigation.
Responsible Disclosure
If you discover a security vulnerability, please report it responsibly to security@subscriply.com. We commit to responding within 48 hours and resolving critical issues within 7 days.
See our full disclosure policy at /.well-known/security.txt