Trust Center
Security
How we protect your data, infrastructure, and business.
Last Updated: April 2026
1. Certifications & Compliance
Stripe Partner
Payment processing through Stripe, which maintains PCI DSS Level 1 certification. Vale never handles, stores, or transmits card data directly.
ActiveGDPR Compliant
We process personal data in accordance with the EU General Data Protection Regulation. A DPA is available on request.
ActiveOWASP Aligned
Self-attested compliance with the OWASP Top 10 (2025), verified by automated and manual penetration testing.
ActiveISO 27001
Information security management system certification. Currently in preparation.
In Progress2. Data & Privacy
For full details on what data we collect, how long we retain it, your GDPR rights, and our sub-processors, see our Privacy Policy.
- Guest booking PII (name, email, phone) is encrypted at rest with AES-256-GCM
- Audit logs are retained for 12 months and auto-deleted via TTL index
- Login attempts are retained for 90 days and auto-deleted via TTL index
- We never store, see, or transmit payment card data — Stripe handles all card processing
- No analytics cookies, no tracking, no data sold to third parties
A Data Processing Agreement (DPA) is available on request for enterprise clients.
3. Infrastructure
Our infrastructure is hosted on reputable, SOC 2-compliant providers:
| Service | Provider | Detail |
|---|---|---|
| Backend API | Railway | Node.js/Express application server |
| Database | MongoDB Atlas | Managed MongoDB with TLS encryption, automated backups |
| Marketing site | Netlify | Static site hosting with edge CDN |
| Payments | Stripe | PCI DSS Level 1 certified payment processing |
| Resend | Transactional email delivery | |
| IoT Gateway | Railway | Shelly device integration for gate control |
Network Security
- TLS encryption enforced on all connections (HSTS with preload)
- CORS restricted to allowlisted origins
- Content Security Policy (CSP) headers configured
- Rate limiting on all endpoints with emergency throttle capability
4. Security Practices
Encryption
- Data in transit: TLS 1.2+ on all connections
- Data at rest: AES-256-GCM for sensitive fields (guest PII, system secrets)
- Passwords: bcrypt with cost factor 12
- Key derivation: PBKDF2-SHA256 with 100,000 iterations
- API keys: SHA-256 hashed, never stored in plaintext
Authentication & Access Control
- JWT-based authentication with 45-minute access tokens
- Refresh token rotation — old tokens revoked on each refresh
- Token revocation on logout
- TOTP-based multi-factor authentication (MFA) with backup codes
- Account lockout after 5 failed login attempts (15-minute window)
- Role-based access control (CUSTOMER, SUPERVISOR, ADMIN)
- MFA-pending tokens blocked from accessing protected resources
Input Protection
- NoSQL injection prevention via express-mongo-sanitize
- Parameterized database queries (Mongoose ORM)
- JSON payload size limited to 10KB
- Password complexity: minimum 8 characters with uppercase, lowercase, and digit
- Content-Type validation on all mutation endpoints
- Input length limits on all string fields
Security Headers
- Strict-Transport-Security with preload
- Content-Security-Policy with restrictive directives
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- Referrer-Policy: no-referrer
- Permissions-Policy restricting camera, microphone, geolocation
- Cache-Control: no-store on authentication and admin responses
Audit & Monitoring
- Audit logging for password changes, MFA events, role changes, API key operations, and settings changes
- Login attempt tracking with IP address and user agent
- Request ID correlation (X-Request-Id) across all requests
- Automated error sanitization — no stack traces or internal details in responses
5. OWASP Top 10 Compliance
We actively test against the OWASP Top 10 (2025). All categories pass:
| ID | Category | Status |
|---|---|---|
| A01 | Broken Access Control | Pass |
| A02 | Cryptographic Failures | Pass |
| A03 | Injection | Pass |
| A04 | Insecure Design | Pass |
| A05 | Security Misconfiguration | Pass |
| A06 | Vulnerable Components | Pass |
| A07 | Auth Failures | Pass |
| A08 | Data Integrity | Pass |
| A09 | Logging & Monitoring | Pass |
| A10 | SSRF | Pass |
Testing & Verification
- 2,507 automated backend tests across 101 test suites
- 37 automated OWASP penetration test cases run on every commit
- 80+ manual penetration test cases documented and executed quarterly
- Incident response runbook maintained and reviewed regularly
Continuous Security
- Dependabot monitors dependencies for known vulnerabilities
- Weekly npm audit via GitHub Actions — blocks deployment on critical/high findings
- Pre-commit hooks run full test suite including security tests
- 0 known vulnerabilities in production dependencies
6. Security Disclosure
If you discover a security vulnerability, please report it responsibly:
Email: privacy@valepark.org
Do not open public GitHub issues for security vulnerabilities.
We acknowledge reports within 24 hours and provide a resolution timeline within 72 hours.