Legal
How we protect your data
All payments are processed through Stripe, a PCI DSS Level 1 certified payment processor. Card numbers never touch our servers. Stripe handles all sensitive payment data storage, tokenization, and processing.
All data in transit is encrypted using TLS 1.2+ (HTTPS). We enforce HSTS, X-Frame-Options, and Content-Type-Options security headers on all pages.
We use 6-digit, time-limited, cryptographically generated authentication codes โ no passwords are ever stored. Session tokens are HTTP-only, secure, and scoped to prevent cross-site access. Codes expire after 10 minutes and are single-use.
All authentication, payment, and account creation endpoints are rate-limited to prevent brute-force attacks, credential stuffing, and abuse.
Every contribution, account creation, status change, and Stripe webhook event is recorded in an append-only audit log with timestamps, IP addresses, and user context. Logs are retained for compliance purposes.
For students under 18, personal data (date of birth, guardian contact info) is never displayed publicly. Only name and school appear on the public page. Guardian email is used for Stripe onboarding and notifications only.
Report security issues to security@backth.is.