Security Overview
Last updated: April 8, 2026
PourPrice is built on AWS infrastructure with security controls applied at every layer. This page summarizes our security architecture for customers, integration partners, and marketplace reviewers. To report a vulnerability, see the Incident Response section below.
1. Infrastructure
| Cloud provider | Amazon Web Services (AWS) — primary region us-east-1, Multi-AZ |
| Compute | AWS ECS Fargate (containerized services). No persistent EC2 instances; each task runs in an isolated ephemeral container. |
| Database | AWS RDS PostgreSQL 16 with Multi-AZ failover. Automated daily backups retained for 35 days. Point-in-time recovery enabled. |
| File storage | AWS S3 with server-side encryption (SSE-S3). Call recordings and uploaded invoices. Public access blocked at bucket level. |
| CDN | AWS CloudFront for static assets and public pricing pages. HTTPS enforced; HTTP redirected. |
| Network | VPC with private subnets for database and worker tiers. Application Load Balancer in public subnet. Security groups restrict inter-service traffic to required ports only. |
| Secrets management | AWS Secrets Manager. No secrets in environment variables, config files, or source code. Secrets are injected into containers at runtime. |
2. Encryption
2.1 At Rest
- Database: RDS encryption enabled using AWS KMS (AES-256). Encryption applies to storage, automated backups, read replicas, and snapshots.
- File storage: S3 SSE with AES-256. Bucket policies prevent unencrypted object uploads.
- Application-layer encryption: OAuth tokens and third-party integration credentials (e.g., Procore access tokens, CMiC API keys) are encrypted with AES-256-GCM before being written to the database. The encryption key is stored in AWS Secrets Manager, not in the database.
2.2 In Transit
- TLS 1.2 minimum enforced on all external endpoints. TLS 1.3 preferred.
- All internal service-to-service communication runs within the VPC private subnet. Database connections use SSL/TLS enforced at the RDS parameter group level.
- HSTS enabled on all public domains. HTTP requests are permanently redirected to HTTPS.
3. Authentication
3.1 User Authentication
- Session management via Auth.js (NextAuth). Sessions are short-lived JWTs with refresh token rotation.
- Passwords are hashed with bcrypt (work factor 12) before storage. Plaintext passwords are never logged or stored.
- Google OAuth 2.0 available as an alternative to password authentication.
- Failed login attempts trigger rate limiting. Accounts are locked after 10 consecutive failed attempts and require email verification to unlock.
3.2 API Key Authentication
- API keys use a
pp_live_prefix for production andpp_test_for test environments, enabling secret scanners to detect leaked keys. - Keys are stored as bcrypt hashes in the database. The raw key is displayed only once at creation and cannot be recovered.
- Keys are revocable at any time from the dashboard.
- Key permissions are scoped to read-only or read-write at the time of creation.
3.3 OAuth for Integrations
The Procore and CMiC integrations use OAuth 2.0 3-legged authorization. Users explicitly authorize PourPrice to access their accounts with clearly stated permission scopes. Tokens are stored encrypted (AES-256-GCM) and can be revoked by disconnecting the integration in PourPrice settings or from the connected app’s side.
4. Authorization
4.1 Role-Based Access Control
Access is controlled at the organization level with three roles:
| Role | Permissions |
|---|---|
| Admin | Full access: manage members, billing, integrations, API keys, all data |
| Member | Search pricing, manage projects, upload invoices, export data |
| Viewer | Read-only: view pricing, projects, and saved searches |
4.2 Multi-Tenant Isolation
All database tables include a tenant_id column. Every query is filtered by the authenticated user’s tenant at the application layer. Direct database access requires IAM authentication and is restricted to the engineering team via jump host.
5. API Security
- Rate limiting: Per-API-key and per-IP rate limits enforced at the API gateway layer using Redis. Stricter limits apply to unauthenticated endpoints.
- Input validation: All incoming request payloads are validated with Zod schemas before reaching business logic. Invalid input returns a structured error response and is never passed to the database.
- SQL injection prevention: All database queries use parameterized statements via Drizzle ORM. Raw SQL is not used at application-facing boundaries.
- CORS: Strict CORS policy; only
pourprice.comand registered partner domains are permitted origins. - Webhook verification: Incoming webhooks (Stripe, Procore) are verified using HMAC signatures before processing.
6. Compliance Posture
| SOC 2 Type II | Designed to SOC 2 standards (Security, Availability, Confidentiality trust service criteria). Formal audit planned for 2026. |
| CCPA | Compliant. Data subject rights procedures documented in our Privacy Policy. |
| AI disclosure | Automated voice AI calls comply with California SB 1001 and equivalent state laws. Every call begins with a bot disclosure before collecting any information. |
| PCI DSS | Payment card data is handled exclusively by Stripe (PCI DSS Level 1). PourPrice never stores, processes, or transmits raw card data. |
7. Vulnerability Management
- Dependency scanning: GitHub Dependabot runs automated scans on all npm dependencies. Critical and high CVEs are blocked from merging to
mainvia CI checks. - npm audit: Runs in every CI pipeline. Builds fail on critical vulnerabilities.
- Container scanning: Docker images are scanned for vulnerabilities before deployment via AWS ECR enhanced scanning.
- Penetration testing: Annual third-party penetration test of the API and web application.
- Patch policy: Critical vulnerabilities patched within 24 hours. High-severity within 7 days. Medium within 30 days.
8. Security Monitoring
- All API requests are logged with correlation IDs, user/tenant IDs, IP address, and response status. Logs are aggregated and retained for 90 days.
- AWS GuardDuty enabled for threat detection across the AWS account.
- Alerts on API error rate spikes, unusual authentication patterns, and privilege escalation attempts.
- On-call rotation with 24/7 pagerduty alerting for critical security events.
9. Incident Response
In the event of a security incident, PourPrice will notify affected customers within 72 hours of confirmed breach, per applicable data breach notification requirements.
To report a vulnerability: Email security@pourprice.com with a description of the issue. We request responsible disclosure: please allow 90 days for investigation and remediation before public disclosure. We do not currently offer a formal bug bounty program but will acknowledge researchers publicly with their permission.
General security questions: security@pourprice.com