Security Compliance
LostChurn's security compliance posture, certifications, vendor security, and data protection controls.
Overview
LostChurn is built with enterprise-grade security controls designed to protect your payment data. This page summarizes our compliance posture, security certifications, and the controls that safeguard your information.
LostChurn is pursuing SOC 2 Type II certification. Contact sales@lostchurn.com for the latest compliance status and to request our current security documentation.
Security Controls
Encryption
| Layer | Standard |
|---|---|
| In transit | TLS 1.2+ on all connections. Webhook payloads verified with HMAC-SHA256 signatures. |
| At rest | AES-256 encryption for all stored data. Webhook payloads in R2 cold storage encrypted with AES-256-GCM. PSP credentials encrypted at the field level. API keys stored as irreversible hashes. |
Authentication and Access
| Control | Description |
|---|---|
| Multi-factor authentication | All dashboard users authenticate with email/password plus a second factor (TOTP or SMS). |
| Enterprise SSO | SAML 2.0 single sign-on available on the Enterprise plan. |
| Role-based access | Four roles (Owner, Admin, Member, Viewer) with least-privilege enforcement. |
| API key scoping | API keys can be scoped to specific permissions and resources. |
Network and Infrastructure
| Control | Description |
|---|---|
| DDoS protection | Cloudflare WAF and DDoS mitigation across all endpoints. |
| Rate limiting | Per-merchant rate limiting to prevent resource exhaustion. |
| Tenant isolation | Each merchant's data is logically isolated. Cross-tenant access is not possible. |
| CORS restrictions | Strict cross-origin policies on all API endpoints. |
Audit Logging
All user actions within your account are logged with full attribution:
- Who performed the action
- What action was taken
- Which resource was affected
- When the action occurred
Audit logs are retained for a minimum of 548 days (1.5 years) and are accessible to Owners and Admins in Settings > Audit Log.
Data Handling
LostChurn follows data minimization principles:
- No raw card numbers -- LostChurn never stores full card numbers, CVVs, or raw payment credentials. All payment operations use tokenized references from your PSP.
- Webhook body retention -- Raw webhook payloads are offloaded to Cloudflare R2 cold storage at ingestion time, encrypted with AES-256-GCM, and retained for up to 548 days. Only structured metadata is kept in the primary datastore.
- Configurable retention -- Set your own data retention periods. Automated deletion is enforced at expiry. R2 payloads are automatically expired after the configured retention period.
- Right to erasure -- Customer data can be fully deleted via the dashboard or API to comply with GDPR and similar regulations.
Vendor and Sub-Processor Security
LostChurn evaluates all third-party services for security posture. All vendors listed below maintain SOC 2 Type II certification:
| Vendor | Purpose |
|---|---|
| Cloudflare | Edge compute, DNS, CDN, DDoS protection, R2 object storage |
| Clerk | Authentication and user management |
| Stripe | Payment processing |
| Resend | Email delivery |
| Twilio | SMS and voice delivery |
| Google AI | LLM inference for personalized messaging |
| GitHub | Source code management and CI/CD |
New sub-processors require 30-day advance customer notification before onboarding.
Security Testing
| Test Type | Frequency |
|---|---|
| External penetration test | Annually |
| Web application security test | Annually |
| Automated dependency scanning | Every code change |
| Static application security testing | Every code change |
| Internal security review | Quarterly |
Penetration test reports are available to Enterprise customers under NDA.
Security Policies
LostChurn maintains formal security policies reviewed semi-annually, including:
- Information Security Policy
- Access Control Policy
- Incident Response Plan
- Change Management Policy
- Vendor Management Policy
- Data Retention Policy
- Business Continuity Plan
Requesting Security Documentation
To request our security documentation, compliance reports, or to discuss our security posture:
- Email: security@lostchurn.com
- Enterprise customers: Contact your account manager directly
Next Steps
- Security Overview -- encryption, access controls, and infrastructure
- GDPR & Data Privacy -- data retention, erasure, and privacy rights
- Webhook Verification -- HMAC signature verification details
- API Authentication -- API key management and scopes