Security Overview
How LostChurn protects your data with encryption, access controls, and industry-standard security practices.
LostChurn processes sensitive payment and customer data on your behalf. Security is not an afterthought -- it is built into every layer of the platform, from the edge worker that receives webhooks to the database that stores recovery state.
Data Encryption
In Transit
All data transmitted between your systems and LostChurn is encrypted using TLS 1.3. This includes:
- Webhook payloads from your payment processor to LostChurn's edge worker
- API requests from your application to the LostChurn REST API
- Dashboard traffic between your browser and the LostChurn web application
- Internal service-to-service communication within LostChurn's infrastructure
LostChurn enforces HTTPS on all endpoints. Plain HTTP requests are rejected, not redirected.
At Rest
All data stored by LostChurn is encrypted at rest using AES-256 encryption. This covers:
- Payment failure records and recovery state
- Customer metadata and contact information
- Campaign content and configuration
- Audit logs and event history
Encryption keys are managed through a dedicated key management service and rotated on a regular schedule.
What LostChurn Does Not Store
LostChurn never stores full card numbers, CVVs, or raw payment credentials. Recovery retries are executed through your payment processor's API using tokenized references (e.g., Stripe PaymentMethod IDs). LostChurn never has access to cardholder data in the clear.
LostChurn stores only the data necessary for recovery operations:
| Stored | Not Stored |
|---|---|
| Last four digits of the card | Full card number (PAN) |
| Card brand and expiration month/year | CVV / CVC |
| Tokenized payment method reference | Raw card credentials |
| Customer email and name | Passwords or authentication tokens |
| Decline codes and recovery state | Full payment processor API keys (encrypted at rest) |
PCI Compliance Scope
Because LostChurn never handles, transmits, or stores raw cardholder data, it operates outside of PCI DSS scope for most compliance assessments. All payment operations are delegated to your PCI-compliant payment processor (Stripe, Braintree, etc.) using their tokenized APIs.
If your compliance team requires a formal attestation, contact security@lostchurn.com for our PCI responsibility matrix.
Security Compliance
LostChurn is pursuing SOC 2 Type II certification. Current security controls align with the Trust Services Criteria:
| Criteria | Status |
|---|---|
| Security | Controls in place -- access management, encryption, network segmentation |
| Availability | 99.9% uptime SLA, multi-region deployment, automated failover |
| Processing Integrity | Idempotent webhook processing, deduplication, audit logging |
| Confidentiality | Encryption at rest and in transit, role-based access, key rotation |
| Privacy | Data retention policies, right to erasure, DPA available |
Contact security@lostchurn.com for the latest compliance status.
Access Controls
Dashboard Access
LostChurn uses Clerk for authentication. All dashboard users must authenticate with email and password plus a second factor (TOTP or SMS). Single sign-on (SSO) via SAML is available on the Enterprise plan.
Role-Based Permissions
| Role | Permissions |
|---|---|
| Owner | Full access, manage billing, invite/remove members, delete workspace |
| Admin | Manage integrations, campaigns, and settings. Cannot manage billing or delete workspace |
| Member | View dashboard, analytics, and recovery status. Cannot modify settings |
| Viewer | Read-only access to dashboard and analytics |
API Key Scopes
API keys can be scoped to limit access. See API Authentication for details on available scopes.
Infrastructure
- Edge processing: Webhook ingestion runs on Cloudflare Workers at 300+ edge locations worldwide, ensuring low-latency webhook acceptance and HMAC verification close to the source.
- Compute: Core recovery logic runs on SpacetimeDB, providing strong consistency guarantees and deterministic execution.
- Isolation: Each merchant's data is logically isolated. Cross-tenant access is not possible at the application or database layer.
Edge Infrastructure
LostChurn's edge layer processes webhooks and session data as close to the source as possible, minimizing latency and reducing the attack surface of the core recovery engine.
Edge Webhook Processing
Cloudflare Workers handle webhook ingestion at 300+ edge locations worldwide. HMAC verification, timestamp validation, and deduplication all happen at the edge before any data reaches the recovery module. This means forged or replayed payloads are rejected within milliseconds, at the nearest point of presence to the sender.
Edge KV Caching
Frequently accessed data — merchant configuration, webhook deduplication keys, and cancel flow session state — is cached in Cloudflare KV for sub-millisecond lookups. This eliminates round-trips to the database for hot-path operations and enables the edge worker to make authorization and deduplication decisions without any backend dependency.
All edge cache operations are non-fatal. If the KV store is temporarily unreachable, the worker falls back to the database path. This graceful degradation ensures that a cache outage never blocks webhook processing or recovery actions.
R2 Encrypted Cold Storage
Raw webhook payloads are stored in Cloudflare R2 with AES-256-GCM encryption for up to 548 days (the Visa/Mastercard chargeback evidence window). This ensures that original payment failure evidence is available for dispute resolution without retaining sensitive data in the primary database longer than necessary.
Circuit Breaker Pattern
LostChurn applies a circuit breaker to every merchant-gateway pair. When a payment processor experiences elevated failure rates, the circuit opens automatically, preventing retries from hitting a known-down gateway and causing cascading failures. The circuit re-closes automatically once the gateway recovers. See Multi-Gateway Cascading for details on circuit breaker states.
Vulnerability Reporting
If you discover a security vulnerability in LostChurn, please report it responsibly to security@lostchurn.com. We acknowledge reports within 24 hours and aim to resolve critical issues within 72 hours.
Next Steps
- Team Management -- roles, permissions, SSO, and audit logging
- Webhook Verification -- how LostChurn verifies incoming webhook payloads
- GDPR & Data Privacy -- data retention, right to erasure, and DPA availability
- Security Compliance -- certifications, vendor security, and data protection controls
- API Authentication -- securing your API integrations