Security

Security

How we protect your data and your customers' data

Encryption

All data is encrypted both in transit and at rest using industry-standard protocols.

  • TLS 1.3 for all data in transit
  • AES-256 encryption at rest for all stored data
  • Stripe handles all payment card data directly

Authentication

Multi-layered authentication protects every account from unauthorized access.

  • JWT token-based session management
  • Social login via OAuth 2.0 (Google, Apple)
  • Rate limiting on all authentication endpoints
  • Automatic account lockout after failed attempts

Infrastructure

Enterprise-grade AWS infrastructure with defense-in-depth architecture.

  • AWS Aurora, ECS Fargate, CloudFront CDN
  • VPC isolation with private subnets
  • Security groups with least-privilege rules
  • No public database access - all traffic routed internally

Payments

PCI DSS compliant payment processing through Stripe Connect.

  • PCI DSS compliant via Stripe Connect
  • No card data ever touches our servers
  • Tokenized payment references only
  • Stripe Radar fraud detection on all transactions

QR Code Security

Anti-fraud QR codes that rotate automatically to prevent screenshots and duplication.

  • Rotating QR secrets every 30s
  • Anti-screenshot fraud prevention
  • Duplicate scan detection and alerting
  • Server-side validation on every check-in

Access Control

Fine-grained permissions ensure every user only accesses what they need.

  • RBAC role-based permission system
  • Granular staff permissions per venue
  • Venue data isolation between organizations
  • Audit logging on all permission changes

Monitoring

Continuous monitoring and automated threat detection across our entire infrastructure.

  • CloudWatch alarms on critical metrics
  • Automated threat detection and response
  • 24/7 infrastructure monitoring
  • Real-time alerting for anomalous activity

Compliance

Building toward the highest standards of data protection and regulatory compliance.

  • GDPR ready - full data subject rights support
  • CCPA ready - California consumer privacy
  • SOC 2 Type II certification in progress
  • Data export and deletion on request
Responsible Disclosure

Report a Vulnerability

We take security seriously. If you've discovered a vulnerability in our platform, we want to hear from you and will work with you to resolve it quickly.

Responsible Disclosure Policy

We appreciate the work of security researchers who help keep Listed and our users safe. If you believe you've found a security vulnerability, please report it responsibly.

When reporting, please include:

  • A detailed description of the vulnerability and its potential impact
  • Steps to reproduce the issue, including any tools or scripts used
  • Any relevant screenshots, logs, or proof-of-concept code
  • Your contact information for follow-up

We commit to acknowledging your report within 48 hours, providing an initial assessment within 5 business days, and keeping you informed of our progress toward a fix. We ask that you give us reasonable time to address the issue before public disclosure.

We will not take legal action against security researchers who follow this policy and act in good faith.