Security Practices

1. Infrastructure Security

• Encryption in transit: All traffic between clients and the PriceDepth API is encrypted using TLS 1.2 or higher. We enforce HTTPS-only connections; plaintext HTTP requests are automatically redirected
• Web Application Firewall: All API traffic is routed through Cloudflare WAF, which provides automated protection against common web attacks including SQL injection, cross-site scripting (XSS), and DDoS attacks
• Containerized architecture: All PriceDepth services run in isolated Docker containers, limiting the blast radius of any potential compromise. Containers are built from minimal base images and run with restricted privileges
• Regular security updates: Operating system packages, runtime dependencies (Node.js 22 LTS), and container base images are updated regularly to patch known vulnerabilities
• Network segmentation: Internal services communicate over private networks. Database ports are not exposed to the public internet

2. Application Security

• API key authentication: All API access requires a valid API key. Keys are scoped to specific tiers (Free, Pro, Enterprise) with appropriate access levels and rate limits
• Rate limiting: Per-key and per-IP rate limiting prevents abuse and ensures fair access for all customers. Rate limit headers (X-RateLimit-Remaining, X-RateLimit-Reset) are included in every response
• Request ID tracing: Every API request is assigned a unique request ID (X-Request-ID) for end-to-end tracing and audit purposes. This enables rapid incident investigation and correlation
• Input validation: All API inputs are validated and sanitized before processing. Query parameters, path parameters, and request bodies are checked against strict schemas
• OWASP Top 10 awareness: Our development practices address the OWASP Top 10 security risks, including injection attacks, broken authentication, sensitive data exposure, and security misconfiguration
• Content Security Policy: Our web pages implement Content Security Policy (CSP) headers to prevent cross-site scripting and data injection attacks

3. Data Security

• Encryption at rest: Database contents are encrypted at rest using AES-256 encryption. Backups are also encrypted
• API key hashing: API keys are stored using one-way cryptographic hashes (bcrypt). Only the key prefix (first 8 characters) is stored in plaintext for identification in your dashboard. The full key is shown only once at creation time
• No credit card storage: PriceDepth never stores credit card numbers, CVVs, or full card details. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor
• Minimal data collection: We collect only the data necessary to provide our service. See our Privacy Policy for details on what we collect and why
• Data retention limits: API usage logs are automatically purged after 90 days. Error logs are retained for 30 days. Account data is deleted within 30 days of account closure

4. Operational Security

• Structured logging: All application logs are structured JSON (Pino), enabling automated analysis, alerting, and anomaly detection. Logs never contain sensitive data such as API keys or passwords
• Error tracking: Application errors are captured by Sentry with automatic alerting. Stack traces and request context are captured for rapid diagnosis. Sensitive fields are scrubbed before transmission
• Automated health checks: Internal health checks run continuously, monitoring API availability, database connectivity, scraper pipeline freshness, and index computation status
• Incident response: We maintain an incident response procedure that includes detection, triage, mitigation, communication, and post-mortem review. Enterprise customers are notified within 30 minutes of a confirmed incident
• Access controls: Production system access is restricted to authorized personnel with multi-factor authentication. All access is logged and auditable

5. Responsible Disclosure

We take security vulnerabilities seriously and appreciate responsible disclosure from the security research community.

Our Commitments

• Acknowledgment: We will acknowledge your report within 48 hours
• Assessment: We will investigate and validate the reported vulnerability within 5 business days
• Critical fixes: We aim to remediate critical vulnerabilities within 7 days of validation
• Communication: We will keep you informed of our progress and notify you when the issue is resolved
• Credit: With your permission, we will publicly credit you for responsibly disclosed vulnerabilities

Scope

The following are in scope for responsible disclosure:

• The PriceDepth API (pricedepth.com/v1/*)
• The PriceDepth website (pricedepth.com)
• Authentication and authorization mechanisms
• Data exposure or leakage vulnerabilities

Please do not perform denial-of-service testing, social engineering, or access other users' data during your research.

6. Compliance Roadmap

We are committed to meeting the compliance requirements our enterprise customers need:

Enterprise customers requiring specific compliance certifications or security questionnaires are encouraged to contact us at [email protected].

Contact

• Security reports: [email protected]
• Privacy inquiries: [email protected]
• General inquiries: [email protected]