Security at Spluur

We take security seriously. Here's exactly how we protect your code, data, and infrastructure — with no marketing fluff.

Encryption everywhere

  • All data encrypted in transit via TLS 1.3
  • Passwords hashed with bcrypt (cost factor 12)
  • Database credentials encrypted at rest
  • API keys stored as hashed prefixes — never in plaintext

Infrastructure isolation

  • Each customer app runs in its own container
  • Network policies prevent cross-tenant traffic
  • Hetzner datacentres in Frankfurt (EU) with SOC 2 Type II
  • Automated vulnerability scans on every deploy

Access controls

  • Session tokens rotated on every login
  • Session revocation on password change
  • Audit log of all account actions (90-day retention)
  • Admin actions isolated to a separate role with logging

Reliability & backups

  • Daily automated backups of all Neon Postgres data
  • Point-in-time recovery for Pro plan databases
  • Uptime monitoring with public status page
  • Incident response SLA: acknowledged within 2 hours

Third-party providers

We use best-in-class providers for each function. We don't build crypto ourselves — we use providers who have already been audited.

Hetzner CloudCompute infrastructure

ISO 27001 certified, GDPR compliant, EU datacentres

NeonServerless Postgres

SOC 2 Type II, encrypted at rest and in transit

UpstashServerless Redis

SOC 2 Type II, AES-256 encryption at rest

ResendTransactional email

SPF/DKIM/DMARC configured, no third-party tracking

PaystackPayments

PCI DSS Level 1 certified, licensed by CBN and other regulators

Let's EncryptSSL certificates

Free, automated, open CA. Auto-renewed before expiry

What data we collect and why

Email and nameAccount authentication and support
GitHub OAuth tokenFetching repos and triggering deploys. Stored encrypted.
Build logsDebugging deployments. Retained 30 days.
IP addressesAudit logging and abuse prevention. Not shared.
Payment dataProcessed entirely by Paystack. We never see raw card numbers.

Responsible disclosure

If you discover a security vulnerability in Spluur, please report it to security@spluur.com before disclosing publicly. We ask that you: - Give us reasonable time to investigate and patch (90 days) - Avoid accessing, modifying, or deleting user data - Not perform denial-of-service attacks or social engineering We will acknowledge your report within 48 hours and keep you updated throughout our investigation. We don't offer a formal bug bounty yet, but we do credit researchers in our security advisories.

security@spluur.com

Have security questions?

We're happy to answer questions from enterprise customers, security researchers, and anyone evaluating Spluur.

Email our security team