Security

Infrastructure

• Encryption in transit: All connections use TLS 1.3. HSTS is enforced with preloading.
• Encryption at rest: All database records are encrypted at rest via our hosting provider Convex.
• Authentication: Handled by Clerk with industry-standard OAuth 2.0 flows, session management, and JWT verification.
• Payment processing: Stripe handles all payment data. We never see or store your card number, CVV, or billing details.

Application Security

• Authentication on every request: Every API call verifies user identity before returning data.
• Ownership verification: Users can only access their own trips, check-ins, routes, and emergency contacts.
• Input validation: All data is validated at the schema level — malformed requests are rejected before processing.
• Webhook verification: All incoming webhooks (Clerk, Stripe) are cryptographically verified before processing.
• Security headers: X-Frame-Options, Content-Type-Options, Referrer-Policy, Permissions-Policy, and Strict-Transport-Security are enforced on every response.

Data Protection

• Location data: Only collected when you actively use location-dependent features (check-in, route checking). Never tracked in the background.
• Emergency contacts: Encrypted and only accessible by the account owner. Shared with contacts only when a check-in is missed.
• No data selling: We never sell, rent, or share your personal data with advertisers or data brokers.
• Minimal data collection: We collect only what is necessary to provide the service.

Reporting Vulnerabilities

If you discover a security vulnerability, please report it responsibly to security@safesolo.travel. We take all reports seriously and will respond within 48 hours.