GR
GoodRep

Security

How GoodRep keeps your data safe.

GoodRep is built on modern infrastructure with secure authentication, encrypted connections, and battle-tested providers. This page gives a high-level overview of how we think about security.

Infrastructure & data hosting

  • Application hosting: GoodRep runs on Vercel, a managed platform for Next.js applications.
  • Database: Customer data (users, organizations, locations, reviews) is stored in Postgres hosted by Supabase. Connections from the app to Supabase use SSL.
  • Regions & redundancy: We rely on our infrastructure providers for availability, backups, and physical security of the underlying systems.

Authentication & authorization

  • Sign-in: GoodRep uses NextAuth with email/password credentials. Passwords are hashed using bcrypt before being stored in the database; we never store raw passwords.
  • Sessions: Sessions use JWTs and are scoped to your organization via `requireOrg()` so users only see data for organizations they belong to.
  • Role-based access: Members, admins, and owners are modeled via memberships so we can add role-based permissions as the product grows.

Payments & billing

  • No card storage: GoodRep does not store or process raw payment card data.
  • Stripe: Subscriptions and billing are handled by Stripe. We redirect you to Stripe-hosted Checkout and Customer Portal pages; Stripe is PCI-DSS compliant and responsible for card security.
  • Identifiers only: In our database we store Stripe customer, subscription, and price IDs to reconcile your plan, not card numbers.

Integrations & API access

  • Google Business Profile: We connect via Nango, which manages OAuth flows and access tokens. GoodRep stores connection identifiers, not Google passwords.
  • Email: Transactional email (such as low-rated review alerts) is sent via providers like Resend. Bounce handling and delivery are managed by those providers.

Data protection & operations

  • All communication between the browser, GoodRep, Supabase, Stripe, and other providers is encrypted in transit using HTTPS (TLS).
  • Access to production environments is limited to trusted operators and protected by strong authentication.
  • We avoid collecting data we do not need, and we review logs and alerts from our providers to monitor for unusual activity.

Questions

  • If you have security questions or need more detail for your team, reach out to us via the contact information in the Privacy Policy.