Security at Fratnance

Data in Transit

All communication between your browser and Fratnance is encrypted using TLS 1.2 or higher. We enforce HTTPS on all connections and use HTTP Strict Transport Security (HSTS) headers to prevent downgrade attacks. API requests, webhook payloads, and email transmissions are all encrypted in transit.

Data at Rest

All data stored in our PostgreSQL database is encrypted at rest using AES-256 encryption, provided by Supabase's managed infrastructure. Database backups are also encrypted. Uploaded files and documents are stored with server-side encryption.

Password Security

User passwords are never stored in plain text. We use bcrypt with a high cost factor for password hashing, which makes brute-force attacks computationally impractical. Passwords are validated against minimum complexity requirements at registration.

Session Management

Sessions are managed through NextAuth with secure, HTTP-only cookies. Session tokens are cryptographically random and rotate on each authentication event. Sessions expire after a configurable inactivity period, and users can terminate all active sessions from their account settings.

OAuth Integration

We support Google OAuth as an alternative to password-based authentication. OAuth tokens are handled securely and are never exposed to client-side code. We request only the minimum scopes needed (profile and email).

Rate Limiting

Login endpoints and sensitive API routes are protected by rate limiting to prevent brute-force and credential-stuffing attacks. Repeated failed login attempts trigger temporary lockouts with increasing delay intervals.

Hosting

Fratnance is hosted on Vercel's edge network, which provides DDoS protection, automatic scaling, and geographic distribution. Our application code runs in isolated serverless functions with no shared state between requests.

Database

Our PostgreSQL database is hosted on Supabase with dedicated compute resources, automated backups, and network isolation. Database access requires authenticated connections over encrypted channels. Direct database access is restricted to authorized personnel with multi-factor authentication.

Tenant Isolation

Fratnance enforces strict chapter-level data isolation at the application layer. Every database query is scoped to the authenticated user's chapter, preventing cross-tenant data access. API endpoints validate chapter membership before returning any data.

Environment Management

Production secrets (API keys, database credentials, signing keys) are managed through encrypted environment variables and are never committed to source control. Access to production configuration is limited to authorized team members.

Fratnance uses Stripe Connect for all payment processing. This means:

• No card data on our servers: credit card numbers, CVVs, and bank account details are collected and stored exclusively by Stripe. This data never touches Fratnance servers.
• PCI DSS Level 1: Stripe maintains PCI DSS Level 1 certification, the highest level of compliance in the payments industry.
• Tokenized transactions: payment methods are represented by secure tokens. Even if our systems were compromised, no payment credentials would be exposed.
• Webhook verification: all Stripe webhook events are verified using cryptographic signatures to prevent tampering and replay attacks.
• Fraud detection: Stripe Radar provides machine-learning-based fraud detection on all transactions.

Role-Based Access Control (RBAC)

Fratnance implements granular role-based access controls. Each chapter member is assigned a role (President, Treasurer, Officer, or Member) that determines what data they can view and what actions they can perform. Permissions include:

• Members: view their own invoices, payment history, and profile. Cannot access other members' financial data.
• Officers: view chapter-level reports and member rosters. Limited administrative capabilities.
• Treasurers: full access to financial data, invoicing, expense management, and reporting.
• Presidents: full administrative access, including role management, settings, and officer transitions.

Chapter Scoping

Every API request is validated against the authenticated user's chapter membership. Users cannot access data from chapters they do not belong to, regardless of their role.

Audit Trail

All significant actions (financial transactions, role changes, setting modifications, member management) are recorded in an immutable audit log. Chapter administrators can review the audit trail to monitor activity and investigate incidents.

Automated Backups

Our database is backed up automatically on a daily basis, with point-in-time recovery available for the most recent 7-day window. Backups are encrypted and stored in a geographically separate location from the primary database.

Data Retention

We retain data only as long as necessary to provide the service and comply with legal obligations. When an account is deleted, personal data is purged within 30 days. Financial records may be retained for up to 7 years for tax and legal compliance. For full details, see our Privacy Policy.

Data Export

Chapter administrators can export financial reports, member rosters, and transaction histories in CSV and PDF formats at any time. This ensures chapters always have access to their own data and are not locked into the platform.

We take security vulnerabilities seriously and appreciate responsible disclosure. If you discover a security issue, please report it to us immediately:

Payment Card Industry (PCI DSS)

Because all payment processing is delegated to Stripe, Fratnance operates under Stripe's PCI DSS Level 1 certification. We do not store, process, or transmit cardholder data on our infrastructure.

SOC 2

We are actively working toward SOC 2 Type II certification. Our infrastructure partners (Vercel, Supabase, Stripe) all maintain SOC 2 compliance. We implement security controls aligned with the Trust Services Criteria, including access management, encryption, monitoring, and incident response.

FERPA Awareness

While Fratnance is not an educational institution, we recognize that some chapters may store academic data (GPA, enrollment status) on the platform. We treat academic data with the same level of protection as financial data. Chapter administrators are responsible for ensuring they have appropriate consent to store academic records in the platform. We recommend chapters consult their university's registrar or legal counsel regarding FERPA obligations.

State Privacy Laws

We comply with applicable state privacy laws, including the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). For more information about your rights under these laws, see our Privacy Policy.

In the event of a security incident, we follow a structured response process:

• Detection and containment: we use automated monitoring and alerting to detect anomalies. Upon detection, we immediately isolate affected systems to prevent further exposure.
• Investigation: our team investigates the scope and impact of the incident using audit logs, server logs, and other forensic data.
• Notification: affected users and chapters will be notified within 72 hours of confirming a data breach, in compliance with applicable notification laws.
• Remediation: we implement fixes to address the root cause and prevent recurrence.
• Post-incident review: every incident concludes with a retrospective to identify improvements to our security posture.