Security

Infrastructure

PackCleared runs on Vercel (edge + serverless compute) with Neon (managed PostgreSQL) as the primary data store. Both providers hold SOC 2 Type II attestations and operate in SOC-audited data centers in the United States. Database traffic rides Neon's private networking; application-to-database connections never traverse the public internet.

Encryption

• In transit. TLS 1.2 minimum on every connection — between users and the app, between the app and every sub-processor, and between the app and the database. HSTS enforced.
• At rest.Database content and file blob storage are encrypted at the storage layer by our infrastructure providers. Backups are encrypted with the same keys and retained on the provider's separate, encrypted backup infrastructure.
• Secrets.API keys, database credentials, webhook signing secrets, and third-party tokens are stored in the deployment platform's managed secret store. They are never committed to source control and never exposed in client-side code.

Authentication

User authentication is handled by Clerk — a specialized identity provider with dedicated security engineering. Features available to every user:

• Password login with strength enforcement, rate limiting, and breach-database checks
• Social login options (if enabled by the workspace)
• Multi-factor authentication (MFA) via authenticator app, SMS, or passkey
• Session management with configurable timeouts and device tracking
• Secure password reset with out-of-band email verification

PackCleared itself never sees or stores raw passwords. All credential handling is delegated to Clerk under their security controls.

Access control

PackCleared enforces a five-layered permission model:

1. Super Admin — controlled by an environment variable; bypasses all other layers. Used for platform operations only.
2. Workspace role — Admin, Organizer, Trip Leader, or Member. Gates who can see and modify org-level resources.
3. Trip role — Leader or Participant. Gates what actions can be taken on a specific trip.
4. Entitlement — per-plan feature flags on workspace billing. Gates premium features.
5. Policy — org-configurable per-role toggles (e.g. allowMemberGenderPronouns, minorSafetyMode). The org admin tunes these for their context.

Every sensitive operation is gated by the appropriate combination. A full reference is in the internal permissions document; if you need the detail for procurement, reach out via contact.

Data isolation

Multi-tenant data separation is enforced at the ORM query layer by required workspace scoping. A member of Workspace A cannot issue a query that reads rows belonging to Workspace B, because every data access path filters on the authenticated user's memberships. We review cross-tenant query paths defensively when they're introduced.

Cross-workspace data flow involving users marked as minors is additionally gated by per-workspace consent records under the minor-safety protocol described in our trust page.

Auditing & logging

• Application audit logs for sensitive operations — consent grants, minor-protection changes, adult-content preference changes, role changes, workspace policy changes — with actor, timestamp, source, and reason.
• Infrastructure access logs via Vercel and Neon, with configurable retention.
• Application error + performance telemetry for operational alerting. Telemetry is stripped of PII before aggregation.

Vulnerability management

• Automated dependency scanning on every deploy via GitHub Dependabot + npm audit. Critical vulnerabilities block merge.
• TypeScript strict mode across the codebase catches entire classes of injection bugs at build time.
• Parameterized queries — all database access goes through Prisma ORM; no raw string concatenation into SQL.
• Content Security Policy + same-origin enforcement via Next.js middleware + Clerk.
• Rate limiting on authentication, checkout, and AI inference endpoints via Upstash.

Incident response

We follow a structured incident response process: detect, contain, investigate, notify, remediate. Notification timelines adhere to applicable legal requirements (GDPR 72-hour rule for notifiable breaches, state breach-notification statutes). If a security incident affects your account, we will notify you via your account email address with a plain-language summary of what happened, what data was affected, and what we've done.

To report a potential security issue: email security via our contact form with subject line “Security Report”. We commit to acknowledging valid reports within one business day.

Payment security

All payment processing is handled by Stripe, Inc., which maintains PCI-DSS Level 1 certification. PackCleared never sees, stores, or transmits raw payment card numbers, security codes, or full card details. Card data is tokenized by Stripe before it reaches our systems.

Certifications — where we are and where we're going

PackCleared does not yet hold formal independent security certifications. We're building toward:

• SOC 2 Type II — the baseline expected by most enterprise B2B buyers. Scheduled for after we cross a revenue / customer-count threshold that justifies the audit cost.
• iKeepSafe COPPA Safe Harbor — for the school vertical. Complements the SDPC NDPA readiness described in our trust page.
• CSA STAR (Level 1 self-assessment) — inheritable from our infrastructure providers; planned near-term.
• ISO 27001 — further out. Evaluated when international customer demand warrants it.

Each certification will be listed here with its actual certificate number and audit date once earned. We don't claim certifications we haven't completed.

Security documentation

For procurement questionnaires, SIG Lite responses, CAIQ responses, data processing agreements, or enterprise security reviews, reach out via contact. We turn these around promptly.