Security at ClickCarousel
The short version
Your content and credentials are encrypted, access is least-privilege, payments never touch our servers, and every database row is isolated per account. We are a small, focused team — so we keep the attack surface small and lean on best-in-class infrastructure providers rather than running our own.
How your data is protected
- Encryption — all traffic is encrypted in transit (TLS); data is encrypted at rest by our infrastructure providers; LinkedIn access tokens are additionally encrypted at the application level.
- Account isolation — database row-level security ensures your carousels, brand assets and credits are readable only by your account.
- Passwordless sign-in — no password database to steal; sign-in uses one-time email links or a trusted identity provider.
- Payments — handled entirely by Stripe (PCI-DSS Level 1). We never see or store full card numbers.
- Least privilege — internal keys are scoped per service, spend-capped where providers support it, and rotated on a schedule.
- Backups & monitoring — automated database backups and continuous error monitoring, so failures are caught and recovered fast.
Infrastructure
ClickCarousel runs on vetted providers — Vercel (hosting), Supabase (database & auth), Cloudflare (storage) and Stripe (payments) — each with their own strong security and compliance programs. The full list is on our Third-Party page.
Responsible disclosure
Found a vulnerability? Please tell us before anyone else: security@clickcarousel.com. Include steps to reproduce; we respond within 72 hours, keep you updated while we fix it, and credit you if you want. Please avoid accessing other users' data or disrupting the service while testing.