Security

At Wick Metrics, security is not an afterthought—it's the foundation of our platform. We understand that you're trusting us with your entire business: financial data, proprietary formulas, customer information, and sensitive business documents. We take this responsibility seriously.

This page outlines the comprehensive security measures we've implemented to protect your data.

Encryption in Transit

All data transmitted between your browser and our servers is encrypted using:

• TLS 1.3: The latest and most secure transport layer security protocol
• HTTPS Only: We enforce HTTPS for all connections—no unencrypted HTTP
• Certificate Pinning: Protects against man-in-the-middle attacks
• Perfect Forward Secrecy: Past sessions remain secure even if keys are compromised

Encryption at Rest

Your data is encrypted while stored in our databases:

• AES-256 Encryption: Military-grade encryption for all database storage
• Encrypted Backups: All backups are encrypted using the same standards
• Key Management: Encryption keys are rotated regularly and stored securely
• Sensitive Field Encryption: Extra encryption for highly sensitive data (EIN, insurance info)

Your business data is strictly isolated from other users. We implement multi-layered isolation:

Row-Level Security

Every database query is automatically filtered by your unique user ID:

• No user can ever access another user's data
• Filters are applied at the database level—not just in application code
• Even database administrators cannot bypass isolation without audit logs
• Automated tests verify isolation on every deployment

API Security

Every API request verifies authorization:

• Authentication required on all protected endpoints
• User ID validation on every request
• Role-based access control (RBAC) for team features
• Rate limiting to prevent abuse (100 requests/minute per user)

Clerk Authentication

We use Clerk, an enterprise-grade authentication provider:

• Secure Password Storage: Passwords are hashed using bcrypt with high cost factor
• Session Management: Secure, httpOnly cookies that can't be accessed by JavaScript
• Token-Based Auth: Short-lived JWT tokens with automatic refresh
• Device Fingerprinting: Detects suspicious login attempts from new devices
• Failed Login Protection: Account lockout after repeated failed attempts

Password Requirements

• Minimum 8 characters (we recommend 12+)
• Must include letters, numbers, and special characters
• Checked against database of compromised passwords
• Password reset via secure email link with expiration

Multi-Factor Authentication (Coming Soon)

We're adding support for two-factor authentication (2FA) via SMS, authenticator apps, and security keys.

Hosting & Network

Our infrastructure is built on industry-leading cloud providers:

• DigitalOcean: SOC 2 Type II certified data centers in the United States
• Vercel: Enterprise-grade application hosting with DDoS protection
• Network Isolation: Private networks between application and database
• Firewall Rules: Strict ingress/egress filtering
• DDoS Protection: Automatic mitigation of distributed denial-of-service attacks

Application Security

• Input Validation: All user inputs validated and sanitized with Zod schemas
• SQL Injection Prevention: Parameterized queries via Prisma ORM
• XSS Protection: Content Security Policy (CSP) and output encoding
• CSRF Protection: Cross-site request forgery tokens on all forms
• Secure Headers: HSTS, X-Frame-Options, and other security headers

Security Monitoring

We continuously monitor for security threats:

• Real-time error tracking and alerting
• Automated security scanning of dependencies
• Failed login attempt monitoring
• Unusual activity detection (e.g., large data exports)
• Regular penetration testing and security audits

Incident Response

In the event of a security incident:

• Immediate containment and investigation
• User notification within 72 hours (as required by GDPR)
• Detailed incident report and remediation plan
• Post-incident review and preventive measures

Automated Backups

• Daily Backups: Full database backups every 24 hours
• Point-in-Time Recovery: Can restore to any point in the last 30 days
• Encrypted Storage: All backups encrypted with AES-256
• Geographic Redundancy: Backups stored in multiple data centers
• Regular Testing: Backup restoration tested monthly

Business Continuity

• 99.9% uptime SLA target
• Failover systems for critical components
• Disaster recovery plan tested quarterly
• Recovery Time Objective (RTO): 4 hours
• Recovery Point Objective (RPO): 1 hour

We comply with industry standards and regulations:

• GDPR Compliant: European Union data protection standards
• CCPA Compliant: California Consumer Privacy Act requirements
• PCI DSS: Payment Card Industry compliance via Stripe
• SOC 2 Type II: Infrastructure providers (DigitalOcean) are certified
• OWASP Top 10: Protected against common web vulnerabilities

Security is a shared responsibility. Here's how you can protect your account:

Account Security

• Use a strong, unique password (12+ characters, mix of letters/numbers/symbols)
• Never share your password with anyone
• Enable two-factor authentication when available
• Log out when using shared or public computers
• Change your password immediately if you suspect compromise

Phishing Protection

• We will never ask for your password via email
• Check URLs carefully—we only send emails from @wickmetrics.com
• Be suspicious of urgent requests or threats
• Report suspicious emails to security@wickmetrics.com

Device Security

• Keep your operating system and browser updated
• Use antivirus software on your devices
• Avoid accessing your account on public Wi-Fi without VPN
• Lock your devices with PIN/password/biometric

Responsible Disclosure

If you discover a security vulnerability in Wick Metrics, we encourage responsible disclosure. Please report it to us privately so we can address it before public disclosure.

We commit to acknowledging your report within 48 hours and providing a timeline for resolution. We appreciate the security community's efforts to keep our users safe.

Security Questions?

Have questions about our security practices? Contact us: