Security

Pinnacle Prep · Last updated 1 April 2025

Our security practices

• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Passwords are hashed using bcrypt via Supabase Auth. We never store plain-text passwords.
• Authentication uses JWT tokens with short expiry windows.
• Row-Level Security (RLS) is enabled on all database tables — users can only access their own data.
• Payment processing is handled entirely by Paddle. We never receive or store card numbers.
• Admin access to the database requires multi-factor authentication.

Responsible disclosure

If you discover a security vulnerability, please email support@pinnacleprep.org with the subject line "Security Disclosure". We will acknowledge your report within 48 hours and aim to resolve critical issues within 7 days. Please do not publicly disclose vulnerabilities before we have had a chance to address them.

Infrastructure

• Database: Supabase (hosted on AWS, EU region)
• Frontend: Netlify CDN
• API functions: Supabase Edge Functions (Deno runtime)

Contact

support@pinnacleprep.org