Security & disclosure

Security posture.

How we protect customer data, what we use, what we promise, and how to report a security issue responsibly.

1. Encryption & transport

TLS 1.3 on every page, enforced via HSTS preload (max-age=31536000; includeSubDomains; preload)
End-to-end HTTPS — HTTP requests are 301-redirected. No HTTP fallback.
Encryption at rest on all storage (Cloudflare KV, Cloudflare R2, DigitalOcean Postgres)
SSL Labs grade A+ on default profile

2. Infrastructure

Compute & CDN: Cloudflare Workers + Cloudflare Pages — multi-region edge with built-in DDoS protection + Bot Fight Mode enabled
Database: DigitalOcean managed PostgreSQL (EU-Frankfurt) with automated daily backups, encryption at rest, IP allowlist
Object storage: Cloudflare R2 (no public access on customer-data buckets, signed URLs only for report PDF delivery)
Email: Cloudflare Email Routing (inbound) + Resend (outbound transactional) + Brevo (outbound marketing). DKIM + SPF + DMARC all verified.
Payments: Stripe Checkout — PCI-DSS Level 1 certified. We never see or store full card data.

3. Third-party processors

Full list with purpose + data handled lives in our privacy policy §5. Sub-processors are reviewed quarterly. Anything that handles personal data sits inside the EU/EEA or under SCC + adequacy decision.

4. Customer data — what we store and for how long

Quiz answers: stored encrypted in Cloudflare KV during report generation, deleted within 48 hours of completion
Generated PDF: stored in Cloudflare R2 for 30 days for re-downloads, then auto-purged via lifecycle policy (90-day max)
Email + purchase metadata: stored in Brevo + Stripe for nurture / receipts / tax compliance
No card data, no government ID, no biometrics, no health data

5. Authentication & admin access

2FA enforced on every founder account: Cloudflare, DigitalOcean, GitHub, NameCheap, Stripe, Sentry (founder-confirmed 2026-05-18; reverified quarterly)
Admin endpoints on the worker are gated by a rotated bearer token (ADMIN_TOKEN) stored as Cloudflare Worker secret, never in code
Branch protection on the main repo: all changes via PR, owner direct-push blocked, linear history required, deletion blocked
Secret scanning on every PR via TruffleHog --only-verified + weekly full-repo scan

6. Monitoring & incident response

Error monitoring: Sentry (toucan-js), PII scrubbed via redact.js before send, sample rate 0.5
Uptime monitoring: UptimeRobot — alerts on /health failure within 5 minutes
Daily report cron sends a state snapshot at 07:00 UTC; missing report = signal
GDPR breach notification: within 72 hours to CNPD (Portuguese DPA) + affected users if high-risk, per Articles 33-34

7. Vulnerability disclosure

We welcome responsible disclosure of security issues from researchers, customers, and the public. We do not currently run a paid bug bounty programme, but we recognize and credit researchers in our changelog if they wish.

7.1 What to report

Authentication / authorization bypass
Data exposure (customer email, quiz answers, PDF reports, contact database)
Stripe webhook signature bypass
Cross-site scripting (XSS) on any wheretoemigrate.io page
Server-side request forgery (SSRF), SQL injection, RCE
Sensitive config or secret leakage

7.2 What is out of scope

Denial of service / volumetric attacks (please don't try them — use a synthetic target)
Social engineering of the founder or third parties
Physical attacks
Reports of missing security headers without an exploit path
Self-XSS (when the user must run JavaScript in their own console)
Spam / phishing reports — those go to hello@

7.3 Safe harbour

If you research in good faith, follow this policy, and give us reasonable time to fix before public disclosure, we will not pursue legal action against you. Specifically: do not access more data than required to demonstrate the issue; do not modify or delete data; do not disrupt service.

How to report

Email security@wheretoemigrate.io (forwards to founder) with:

A clear description of the issue
Steps to reproduce
The minimum impact you can demonstrate (so we can verify quickly)
Your preferred attribution (anonymous, name, handle, link)

Response targets: 72 hours initial acknowledgement · 7 days triage decision · 30 days fix for HIGH severity · 90 days for MEDIUM.

8. What we ask of customers

Don't share your download token link — it grants 10 downloads of your report PDF. Treat it like a temporary password.
Verify Stripe Checkout in your browser URL bar before paying — should always show checkout.stripe.com
If something looks wrong (suspicious email claiming to be us, broken page, leaked data), email security@wheretoemigrate.io immediately