Skip to main content
NuclearDirectories
← Back home

Security

Last updated April 29, 2026

How we protect data

  • Transport. All traffic is HTTPS-only with HSTS. Our hosting provider terminates TLS at the edge.
  • At rest. Application data is stored in managed Postgres with at-rest encryption. Document uploads (claim verification) go to Cloudflare R2 with object-level encryption and signed-URL retrieval.
  • Authentication. Passwords are hashed with bcrypt (cost factor 10). Sessions are JWT-signed with the NextAuth canonical secret. Email verification is required before access to most features.
  • Payments. All cardholder data is handled by Stripe. We never see, store, or process raw card numbers — Stripe’s tokens are all that ever reach our infrastructure.
  • Webhook signatures. Stripe webhooks are verified against a shared secret with a 5-minute timestamp window. Nukaplakia review-decision webhooks use HMAC-SHA256 over ${ts}.${body} with the same timestamp tolerance.
  • Rate limiting. Public endpoints are rate-limited per IP (signup, claim creation, chat turns, lead capture). Per-day per-session limits apply to AI chat surfaces.

Reporting a vulnerability

We pay attention to security reports. Email security@nucleardirectories.com with:

  • The vulnerability description and reproduction steps.
  • The affected URL or endpoint.
  • Your name and a way to credit you (if desired).

We acknowledge within 48 hours and provide a fix or status update within 7 days. Please do not exfiltrate other users’ data or test against accounts you don’t control. Good-faith research is welcome; we won’t pursue legal action against researchers who follow this disclosure policy.

What we owe you when something goes wrong

If a breach affects your data, we will email you within 72 hours of confirmation, describe what we know, what we’re doing about it, and what you should do. We will tell you what categories of data were accessed and whether passwords or payment information are at risk. We will not minimize, delay, or obscure.

security.txt

A machine-readable contact record per RFC 9116 lives at /.well-known/security.txt.