Security
Your clients trust you. We make sure that trust is earned.
Credit repair means handling sensitive financial data every day. DisputeWell is built on SOC 2 Type II certified infrastructure with multi-tenant isolation, AES-256 encryption, and zero-trust access controls — so you can focus on your clients, not your attack surface.
SOC 2 Type IIISO 27001HIPAAPCI DSS v4.0GDPR
Data Isolation
Every tenant is an island.
Row-level security policies enforce complete data isolation between organizations. Each customer database receives isolated, randomly-generated credentials. Your clients' data is invisible to every other tenant — not filtered, not hidden, physically unreachable.
Encryption
Encrypted everywhere.
TLS 1.3 in transit. AES-256 at rest — covering databases, file storage, and search indexes. Every API call, every document upload, every credit score travels through encrypted channels. No exceptions, no fallbacks.
Authentication
Identity, verified.
Session-based authentication with secure token rotation. Portal clients authenticate through isolated login flows — separate sessions, separate cookies, zero cross-contamination. All critical internal systems enforce MFA.
Role-based access control
Owner, manager, and agent roles with granular permission gating. Every mutation validates the caller's role before executing. Agents can't access billing. Managers can't transfer ownership.
DDoS mitigation
Automatic L3/L4 DDoS protection at every edge location — zero added latency. Challenge mode activates real-time verification during attacks. Embedded bot management on all plans.
Web application firewall
Vercel's WAF with managed rulesets protecting against OWASP Top 10 vulnerabilities. Custom rules for logging, blocking, challenging, and rate-limiting L7 traffic.
Session management
Automatic session expiration, secure cookie handling, and token refresh flows. Portal sessions are fully isolated from CRM sessions — compromise one, the other holds.
Audit trail
Every import, dispute, letter generation, and status change is timestamped and attributed. Complete traceability from credit pull to resolution.
Privacy by design
Clients only see their own data. Portal users cannot enumerate other customers, access other organizations, or discover tenant metadata. Zero information leakage by architecture.
Secure file storage
Client documents — IDs, utility bills, supporting evidence — stored in tenant-scoped buckets with AES-256 encryption at rest. Signed URLs expire. No direct public access, ever.
Bot detection
Vercel BotID provides invisible bot detection — no CAPTCHAs, no API keys, no fine-tuning required. Malicious traffic is identified and blocked before it reaches your application.
API security
Every public function validates arguments with strict schemas. Internal operations use isolated function types that clients cannot invoke. No v.any() on sensitive endpoints.
SOC 2 Type II
Both Vercel and Convex maintain SOC 2 Type II attestations with continuous monitoring. Annual third-party audits verify controls across security, availability, and confidentiality.
ISO 27001
Vercel holds ISO 27001:2013 certification — the international standard for information security management systems. Systematic risk management across all operations.
GDPR
Full GDPR compliance with Data Processing Addendments. Data Privacy Framework (DPF) certified. Your EU clients' data is handled with the protections they expect.
HIPAA
HIPAA-compliant infrastructure with Business Associate Agreements available. Convex and Vercel both support healthcare-grade data handling requirements.
PCI DSS v4.0
Vercel is PCI DSS v4.0 compliant. Payment processing handled by Stripe — a PCI Service Provider Level 1 certified vendor. Card data never touches our servers.
Penetration Testing
Annual third-party penetration testing across both Vercel and Convex. Automated vulnerability scanning and intrusion detection operate continuously within infrastructure.
Built for sensitive data
Credit reports, Social Security numbers, financial records. We treat every byte like it matters — because it does.
Security commitments
The short list. Every item is enforced in code, not promised in a PDF.
- AES-256 encryption at rest across databases, files, and search indexes
- TLS 1.3 for all data in transit — internal and external
- Row-level security enforced at the database layer
- Isolated database credentials per customer, randomly generated
- DDoS protection at every edge location with zero latency overhead
- WAF with OWASP Top 10 managed rulesets
- Role-based access control validated on every mutation
- Tenant-scoped file storage with signed, expiring URLs
- Session isolation between CRM staff and portal clients
- Automatic backups with point-in-time recovery
- Annual third-party penetration testing on all infrastructure
- MFA enforced on all critical internal systems
Edge Network
Deployed on Vercel's global edge network with automatic DDoS protection, certificate management, and failover to the nearest available location during regional outages. ISO 27001 and SOC 2 Type II certified.
Backend & Database
Convex provides automatic backups, point-in-time recovery, and transactional consistency. AES-256 encryption across databases, file storage, and search indexes. SOC 2 Type II and HIPAA compliant with isolated credentials per customer.
Payments
All payment processing handled by Stripe — PCI Service Provider Level 1 certified. Card data never touches DisputeWell servers. Vercel itself maintains PCI DSS v4.0 compliance for the hosting layer.
Ready to automate your disputes? Start with a free account. No credit card required, no contracts, cancel anytime.
