Skip to main content
Back home

Security
at Proofly

How we handle your data, your credentials, and your customers’ data. The short version: server-side gates, trusted infrastructure providers, no secrets in plugin source code.

The product security model

Every Proofly product is built on the same principle: secrets stay on the server.

Server-side gates

PageLock's authentication runs server-side. Locked Framer content is physically removed from the public site and served only after a successful authentication request. Inspecting the HTML, View Source, or browser devtools reveals nothing.

No credentials in client code

Passwords, PINs, and access keys never touch the browser. The Framer plugin only references opaque lock identifiers — the actual credentials live in the Proofly backend with bcrypt-style hashing.

Webhook signature verification

Forms Inbox webhooks are signed and verified on receipt. Stripe webhooks are signature-verified before any state changes. We don't trust unsigned payloads anywhere in the pipeline.

Per-product access scopes

Your PageLock data is isolated from your Forms data, isolated from your Blog data, by per-product row-level security policies in the database. One product cannot read another.

Infrastructure

The services we trust with your data, and what each one does.

Stripe — payments

Card data never touches Proofly servers. All payment processing happens in Stripe Checkout. We store only the Stripe customer ID, subscription ID, and invoice metadata. PCI DSS compliance: Stripe's.

Supabase — application data

Postgres database with row-level security. Encrypted at rest, TLS in transit, daily backups, point-in-time recovery on paid tiers. SOC 2 Type II–compliant infrastructure.

OVH — application server

The Proofly application runs on dedicated OVH infrastructure in the EU. Docker containerised, behind a reverse proxy with strict TLS settings. ISO 27001 + ISO 27701 compliance: OVH's.

Resend — transactional email

Billing emails, password resets, and OTP codes are sent via Resend. DKIM- and SPF-signed. Bounce and complaint events are processed so we don't keep sending to dead addresses.

Operational practices

Secrets management

API keys and database credentials live in encrypted environment variables on the OVH host. Never committed to git, never logged. Quarterly rotation of high-value keys.

Dependency auditing

Production dependencies are audited via npm audit on every deploy. High-severity advisories block the pipeline. Direct dependency tree kept small.

Webhook idempotency

Stripe and partner webhooks are processed idempotently — duplicate deliveries (Stripe retries up to 3 days) cannot create duplicate state. Out-of-order events are retried via a 503 signal.

Disclosure policy

Report security issues to [email protected]. We acknowledge within 24 hours and patch high-severity issues within 7 days. Coordinated disclosure preferred.

Questions about security?

Reach out for a deeper conversation — DPA, sub-processor list, infosec questionnaires, or anything we missed.

Contact security