Skip to main content
FixReminder

Security

Last updated: February 20, 2026

FixReminder is committed to protecting your data. This page describes the security measures we implement across our infrastructure, application, and operations.

Infrastructure

FixReminder is hosted on Vercel, which provides enterprise-grade infrastructure security:

  • SOC 2 Type II certified hosting infrastructure
  • Automatic HTTPS with TLS 1.2+ for all connections
  • Global CDN with built-in DDoS protection
  • Isolated serverless function execution
  • Automatic security patches and platform updates

Encryption

  • In transit: All data encrypted with TLS 1.2 or higher. HSTS enforced with a minimum 1-year max-age.
  • At rest: Database encryption using AES-256, provided by our database provider (Supabase).
  • Passwords: Hashed using bcrypt with a cost factor of 12. Plaintext passwords are never stored.
  • API tokens: Personal access tokens are SHA-256 hashed before storage. The original token is shown once and cannot be retrieved.

Authentication

  • Session management: Secure, HttpOnly JWT session cookies with 30-day expiry via NextAuth.js
  • CSRF protection: Token-based CSRF protection on all mutating requests
  • API authentication: Personal access tokens (PAT) with the fr_ prefix for programmatic access
  • Mobile authentication: Biometric authentication (Face ID / Touch ID) with credentials stored in native Keychain (iOS) or Keystore (Android)
  • Phone verification: Time-limited SMS verification codes (10-minute expiry) for phone number confirmation

Application Security

  • Input validation: All API inputs validated with Zod schemas before processing
  • SQL injection prevention: Prisma ORM with parameterized queries throughout the application
  • XSS prevention: React output encoding by default; no raw HTML injection used anywhere in the application
  • Rate limiting: API rate limiting to prevent abuse
  • Content Security Policy: Restrictive CSP headers to prevent script injection
  • Security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers configured

Data Isolation

FixReminder implements strict data isolation at the application level:

  • All database queries are scoped to the authenticated user or their organization
  • Organization members share data within their team; personal accounts see only their own data
  • API endpoints verify ownership before returning or modifying any resource
  • Admin access is gated by an environment-level email allowlist, separate from user roles

SMS Security

  • SMS delivered via Twilio with A2P (Application-to-Person) 10DLC registration
  • Twilio webhook signatures verified on all inbound messages
  • Phone numbers stored with verification status; unverified numbers cannot receive messages
  • Users can opt out at any time by replying STOP or removing their number in Settings

Push Notification Security

  • Push notifications sent via Firebase Admin SDK (server-side only)
  • Firebase service account credentials stored as environment variables, never exposed to clients
  • Device tokens associated with authenticated users only
  • Native mobile apps store authentication credentials in platform Keychain/Keystore

Audit Logging

All administrative actions are recorded in an audit log, including:

  • User account changes (plan tier, phone resets, deletions)
  • The administrator who performed the action
  • Timestamps and before/after change details
  • IP address of the request

Sub-processors

We use the following third-party services to operate FixReminder. Each maintains their own security certifications and compliance programs:

ProviderPurposeLocation
VercelHosting, CDN, serverless computeUnited States
SupabasePostgreSQL databaseUnited States
StripePayment processingUnited States
ResendEmail deliveryUnited States
TwilioSMS messagingUnited States
Google (Firebase)Push notificationsUnited States
Google (Analytics)Website analyticsUnited States

Responsible Disclosure

If you discover a security vulnerability in FixReminder, please report it responsibly by emailing customerservice@fixreminder.com. Please include:

  • A description of the vulnerability
  • Steps to reproduce
  • Potential impact

We will acknowledge your report within 48 hours and provide a timeline for resolution. We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

Incident Response

In the event of a security incident:

  • 0-4 hours: Incident identified, containment measures initiated
  • 4-24 hours: Root cause analysis, affected users identified
  • 24-72 hours: Affected users and regulatory authorities notified as required
  • Ongoing: Remediation, post-incident review, and process improvements

Contact

For security questions or to report a vulnerability, contact us at: customerservice@fixreminder.com