Security

Authentication

• Email/password accounts require email verification before login.
• Passwords and one-time 2FA codes are hashed with bcrypt.
• Optional 2FA is supported with emailed 6-digit OTP codes.
• Google and GitHub OAuth are available when provider env vars are configured.
• Login attempts are rate-limited and failed attempts are tracked.

Payments

• Public invoice payments use Stripe Checkout sessions.
• Payouts run through Stripe Connect connected accounts.
• Platform fees are applied as Stripe application fees when configured by plan.
• Stripe webhooks validate the signature using `STRIPE_WEBHOOK_SECRET`.
• Webhook events are deduplicated by unique Stripe event ID before processing.

Data handling

• Application data is stored in Postgres.
• Sensitive credentials are loaded from environment variables.
• Workspace SMTP passwords are encrypted at rest (AES-256-GCM) when saved.

Operational safety

• Webhook processing is idempotent via event-level deduplication.
• Refund creation uses Stripe idempotency keys to avoid duplicate refunds.
• Basic abuse controls include login throttling and invoice creation safety limits.

Contact

Security questions and reports: support@lateless.org.