Trust & Safety
Security at LancerFee
Last updated: March 4, 2026
1. Data Encryption
In Transit
- All data encrypted using TLS 1.3
- HTTPS enforced on all pages
At Rest
- All data stored using AES-256 encryption
- Passwords are never stored — we use OAuth only (Google/GitHub)
2. Payment Security
- LancerFee never stores your credit card information
- Subscription billing handled by Stripe (PCI DSS Level 1 certified)
- Client payments go directly to freelancer's own Stripe account
3. Authentication & Access
- Sign-in via Google OAuth 2.0 or GitHub OAuth only
- Row Level Security (RLS) enforced at the database level
- Each user can only access their own data
- Sessions expire automatically after inactivity
4. Infrastructure
| Component | Provider | Security Standard |
|---|---|---|
| Database | Supabase (AWS) | SOC 2 Type II |
| Hosting | Vercel | SOC 2 Type II |
| Payments | Stripe | PCI DSS Level 1 |
| Auth | Supabase Auth | OAuth 2.0 |
5. Application Security
Row Level Security (RLS)
All queries scoped to the authenticated user
Environment Variables
API keys never exposed to the client side
Input Validation
All user inputs sanitized before database storage
CORS Policy
Requests restricted to lancerfee.co only
Rate Limiting
Applied to all API endpoints
6. What We Don't Do
We never sell your data
We never access your invoice data without your permission
We never store credit card numbers
We never share client information with third parties
We never hold your client payments
7. Vulnerability Disclosure
Found a security issue? We take all reports seriously.
We commit to:
- Acknowledge your report within 48 hours
- Investigate and respond within 7 business days
- Not pursue legal action against good-faith security researchers
8. Data Breach Notification
In the event of a data breach, affected users will be notified within 72 hours. (CCPA requirement)
9. Third-Party Services
For a full list of third-party services we use, see our Privacy Policy.
10. Contact
For security concerns or questions:
hello@lancerfee.co