Обновлено · 2026-07-01

Политика безопасности

TL;DR

  • Весь трафик шифруется TLS; данные хранятся у проверенных провайдеров.
  • Доступ строится по принципу минимальных привилегий; админ-панель защищена подписанными сессиями.
  • Нашли уязвимость? Пишите на [email protected] — гарантируем ответственное раскрытие без претензий.

1. Our commitment

Security is an engineering requirement at TeamMedia: protections are designed into the platform, reviewed with every change, and documented here so customers and payment partners can evaluate them.

2. Infrastructure

  • Hosting on Vercel with TLS 1.2+ enforced for all traffic (HSTS with preload).
  • Data stored in Supabase-managed PostgreSQL with encryption at rest provided by the platform.
  • Uploads stored in Vercel Blob with validated types and size limits; SVG uploads are rejected to prevent stored-XSS.
  • No card data ever touches our infrastructure — payments are processed by PCI-DSS-compliant providers.

3. Application security

  • Strict security headers: Content-Security-Policy, HSTS, X-Frame-Options DENY, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
  • All public write endpoints validate input with schema validation, enforce length limits and are rate-limited per IP.
  • Admin area gated by HMAC-SHA256-signed, HTTP-only, SameSite cookies; login attempts are rate-limited and compared in constant time.
  • Server-side price resolution: order amounts are looked up from the catalog on the server, never trusted from the client.
  • Structured JSON-LD and user content are serialized with XSS-safe escaping.

4. Access control

Internal access follows least privilege: production secrets live in the hosting provider's encrypted environment configuration, are never committed to source control, and administrative access is limited to named staff with hardware-backed MFA on the underlying accounts.

5. Monitoring and incident response

We monitor availability and error rates and keep server logs for up to 30 days. Suspected incidents follow a written runbook: contain, assess impact, notify affected customers without undue delay (within 72 hours for personal-data breaches per the DPA), remediate and post-mortem.

6. Responsible disclosure

We welcome good-faith security research. Report vulnerabilities to [email protected] with reproduction steps; do not access other users' data, degrade the service, or publicly disclose before we confirm a fix. We commit to acknowledging reports within 72 hours, will not pursue legal action for good-faith research within these rules, and credit researchers who wish to be named. A paid bounty program is planned; rewards are currently discretionary.

7. Contact

Security questions or reports: [email protected].

Напишите нам — живой человек ответит в течение рабочего дня. [email protected]

Документы и политики