Sprusify
Get started

Security, Privacy & Compliance

This guide summarizes baseline controls for secure operations and responsible data handling.

Data Handling Principles

  • Collect only data required for attribution, payouts, and support workflows.
  • Define retention windows for raw click and event logs.
  • Maintain accurate audit records for adjustments and payout decisions.

Authentication and Access Control

  • Restrict payout approval and manual adjustments to authorized roles.
  • Rotate API keys and webhook secrets on a scheduled cadence.
  • Require secure authentication for all admin access paths.

Webhook and API Security

  • Verify webhook signatures before processing payloads.
  • Use idempotency controls to avoid duplicate transaction effects.
  • Apply rate limiting and monitor repeated invalid requests.

Encryption and Secret Management

  • Use HTTPS/TLS for all inbound and outbound traffic.
  • Store secrets in secure environment stores, never in source control.
  • Encrypt sensitive data at rest where supported by your stack.

Payments and Financial Data

  • Use approved payment providers for payout execution.
  • Keep clear payout states and immutable transaction logs.
  • Avoid handling raw payment card data in app code paths.

Privacy and Regulatory Readiness

  • Support data export and deletion workflows where required by law.
  • Track consent, policy updates, and user-request handling.
  • Coordinate with legal counsel for jurisdiction-specific obligations.

Incident Response Expectations

  • Define ownership for detection, triage, and communication.
  • Preserve forensic logs for investigation.
  • Rotate compromised keys and review affected integrations.

Security Checklist Before Production

  • Webhook signature verification tested.
  • Idempotency behavior verified with replay tests.
  • Role permissions reviewed for least privilege.
  • Monitoring and alerting active for webhook failures.