Trust
Security
Last updated: 1 January 2026
Your transaction data is sensitive. We take protecting it seriously. This page explains exactly what we do.
Security concerns? Email us directly at security@polyconomic.com.
Authentication and passwords
You can sign in to Polyconomic with email and password, or via Google OAuth. If you use a password, it is never stored in plain text. We hash all passwords using bcrypt with a cost factor of at least 12 before storing them.
If you use Google sign-in, no password is ever stored on our servers. Authentication is handled entirely by Google's OAuth infrastructure.
All sessions are managed with signed, server-verified tokens. Sessions expire after periods of inactivity and are invalidated on logout.
Data encryption
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We do not support older, insecure TLS versions.
Data stored in our database is encrypted at rest using AES-256. Backups are also encrypted.
We never require or store wallet private keys or cryptocurrency exchange withdrawal permissions. We only request read-only API access where integrations support it.
Data isolation
Your transaction data is isolated at the database level using row-level security (RLS). This means that even if there were a query bug, your data could not be returned in a request for another user's data.
Internal access to production data is restricted to a small number of authorised engineers, requires multi-factor authentication, and is logged for audit purposes.
Infrastructure
Polyconomic is hosted on Vercel (application layer) and Supabase (database). Both providers maintain their own security programmes, certifications, and physical security controls.
We use Supabase's managed Postgres infrastructure, which includes automated backups, point-in-time recovery, and encrypted storage. Supabase operates on AWS infrastructure.
Our application deployment pipeline uses branch protections, requires code review, and runs automated security checks on every deployment.
Payments
All payments are processed by Stripe. We do not store card numbers, CVV codes, or billing addresses on our servers. Stripe is PCI DSS Level 1 certified, the highest level of certification in the payment industry.
We store only your Stripe customer ID and subscription status, which we need to manage your account access.
Certifications
SOC 2 Type 2
Annual audit of our security, availability, and confidentiality controls.
ISO 27001
International standard for information security management systems.
Breach notification
If we become aware of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the Information Commissioner's Office (ICO) within 72 hours as required by UK GDPR. We will tell you clearly what data was affected, what we are doing about it, and what you should do.
Responsible disclosure
If you discover a security vulnerability in Polyconomic, we ask that you report it to us responsibly before disclosing it publicly. Email us at security@polyconomic.com with a description of the issue and steps to reproduce it.
We commit to: acknowledging your report within 48 hours, investigating and resolving valid issues as a priority, keeping you informed of progress, and not taking legal action against researchers who act in good faith.