BounceGrip

Security

BounceGrip is built with security as a default. The service runs on Supabase (Postgres, auth, and private storage), Vercel (hosting and TLS), Creem.io (billing), and Resend (email).

  • Row-level security on every customer-data table.
  • Server-side authorization for every mutation.
  • Private storage buckets — public files are mediated by signed URLs.
  • Secure random tokens for QR and packet share; only hashes are stored.
  • Creem webhook signatures verified with HMAC-SHA256 (timing-safe).
  • HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff, restricted Permissions-Policy.

Report a security issue to security@bouncegrip.com. We do not run a public bug bounty but we appreciate responsible disclosure.