Fjellride logoFjellride

Security

Last updated: January 2025

Fjellride is committed to providing a secure platform for our customers. This page outlines the security measures we have implemented to protect your data and our infrastructure.

Infrastructure Security

Data Centers and Hosting

All Fjellride infrastructure is hosted within the European Economic Area (EEA) to ensure GDPR compliance:

  • AWS: eu-north-1 (Stockholm, Sweden)
  • Google Cloud Platform: eu-north1 (Stockholm, Sweden)
  • Supabase: EU region (Stockholm, Sweden)
  • Vercel: Stockholm, Sweden (hosting), EU (logs)

All data processing occurs within the EEA, ensuring compliance with GDPR requirements.

Network Security

Cloudflare Protection

  • DDoS Protection: Cloudflare provides automatic DDoS mitigation and protection against distributed denial-of-service attacks
  • Web Application Firewall (WAF): Cloudflare's WAF helps protect against common web vulnerabilities
  • SSL/TLS Encryption: Automatic SSL certificate provisioning and renewal for all domains
  • CDN: Global content delivery network for improved performance and security

Vercel Firewall

  • Edge Protection: Vercel's firewall provides additional layer of protection at the edge
  • Rate Limiting: Built-in rate limiting to prevent abuse

Google Cloud Platform Security

  • Cloud Armor: GCP's DDoS protection and WAF capabilities
  • Network Security: Secure network configurations and firewall rules
  • Identity and Access Management: Role-based access control for infrastructure

Application Security

Authentication and Authorization

  • Password Security: Passwords are hashed using bcrypt with 10 rounds before storage
  • Session Management: Secure session cookies with HTTPS-only and SameSite protection
  • Magic Link Authentication: Time-limited, single-use authentication links
  • API Key Authentication: Hashed API keys with rate limiting and expiration
  • Role-Based Access Control: Granular permissions system for different user roles

Rate Limiting

  • API Rate Limiting: 100 requests per minute per IP address for general endpoints
  • API Key Rate Limiting: Configurable rate limits per API key (default: 1000 requests per hour)
  • Authentication Rate Limiting: Protection against brute force attacks

Data Protection

Encryption

  • Data in Transit: All data transmitted over the network is encrypted using TLS 1.2 or higher
  • Data at Rest: Database encryption provided by Supabase
  • Payment Data: Payment information is processed securely through Stripe Connect (PCI DSS compliant)

Database Security

  • Row Level Security (RLS): Supabase RLS policies ensure users can only access data they're authorized to view
  • Connection Security: Encrypted database connections
  • Backup Encryption: Regular encrypted backups

API Security

  • CORS Protection: Strict CORS policies limiting allowed origins
  • API Key Authentication: Secure API key-based authentication for external integrations
  • Input Validation: All API inputs are validated and sanitized
  • SQL Injection Protection: Parameterized queries and ORM usage prevent SQL injection

Payment Security

  • Stripe Connect: All payment processing is handled by Stripe, a PCI DSS Level 1 compliant payment processor
  • No Card Storage: We do not store credit card information. All payment data is processed directly by Stripe
  • Secure Payment Links: Payment links use Stripe's secure checkout system

Monitoring and Incident Response

  • Logging: Comprehensive logging of security-relevant events
  • Monitoring: Continuous monitoring of system health and security events
  • Incident Response: Procedures in place to respond to security incidents
  • Data Breach Notification: We will notify affected parties within 48 hours of discovering a data breach, as required by GDPR

Security Best Practices

For Organizations Using Fjellride

  • Use strong, unique passwords for your accounts
  • Enable two-factor authentication when available
  • Regularly review API keys and revoke unused ones
  • Keep your organization's user access up to date
  • Report any security concerns immediately to hello@fjellride.se

For End Customers

  • Use strong passwords if you create an account
  • Be cautious of phishing attempts
  • Report suspicious activity to the organization you're booking with

Security Updates

We regularly update our dependencies and infrastructure to address security vulnerabilities. Security patches are applied as soon as they become available.

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly:

Email: hello@fjellride.se

Please include:

  • Description of the vulnerability
  • Steps to reproduce (if applicable)
  • Potential impact
  • Your contact information

We appreciate responsible disclosure and will work with you to address any security concerns.

Compliance

  • GDPR: Full compliance with the General Data Protection Regulation
  • Data Residency: All data stored and processed within the EEA
  • Privacy: See our Privacy Policy for details on how we handle personal data

Subprocessors

For a complete list of subprocessors and their locations, see our Data Processing Agreement.

Contact

For security-related questions or concerns, please contact us at hello@fjellride.se.