Our Approach

Security is foundational to Disputo. Users trust us with sensitive financial and personal data, and we take that seriously.

What We Do

• Encrypted in transit — all connections use HTTPS/TLS
• Row-level security — database policies ensure users can only access their own data
• Hashed passwords — we never store plaintext passwords
• Minimal data sent to AI — we do not send your name, email, or payment info to our AI provider
• No card storage — payment processing is handled entirely by Stripe; we store only your Stripe customer ID
• Webhook signature verification — all Stripe webhooks are verified with cryptographic signatures
• Input validation — all API endpoints validate and sanitize user input before processing

Reporting a Vulnerability

If you discover a security vulnerability, please report it responsibly. Email us at hello@getdisputo.com with the subject line Security Vulnerability. Please include a description of the issue and steps to reproduce it.

We ask that you give us reasonable time to investigate and remediate before public disclosure. We do not currently offer a bug bounty program, but we will acknowledge responsible disclosures.

Infrastructure

Disputo runs on Vercel (application hosting), Supabase (database and authentication), and Stripe (payments) — all SOC 2 compliant providers.