Security

Built like the compliance tool it is

A product whose job is documenting diligence has to be trustworthy itself. Here's how GetAffilert approaches security — concretely, without badges we haven't earned.

Organization isolation at the database layer

Every record belongs to an organization, and row-level security policies enforce isolation in the database itself — not just in application code. Cross-organization access is denied at the lowest layer.

Role-based access control

Owner, admin, member, and viewer roles gate what each person can see and do. Authorization is checked server-side on every operation — never from client-supplied claims alone.

Authentication done conservatively

Passwords are handled by our authentication provider and never stored in readable form. A 12-character minimum applies to new accounts, and authentication endpoints are rate-limited against abuse.

Least-privilege service architecture

Privileged database access is confined to isolated server-side workers and verified webhooks — never exposed to browsers, and never used in ordinary request handling.

Abuse and cost controls

Durable rate limiting protects sign-in, sign-up, imports, scans, exports, and search. Export volumes are capped, and expensive operations respect plan limits.

Audit trails throughout

Significant actions — reviews, issue changes, team changes, administrative operations — write audit events. Organizations can inspect their own activity history in-app.

Evidence integrity

Scan captures, findings, and evidence records are system-managed: written by the scanning pipeline, not directly editable by users. What the record says was found is what was found.

Hardened by default

Strict security headers, formula-injection-safe CSV exports, SSRF protections on content fetching, and secret-redacting structured logs are part of the baseline, not add-ons.

Straight answers

Where we are, honestly

GetAffilert is a young product built with security as a design constraint from day one — row-level security, server-side authorization, audited administrative actions, and immutable system-managed records are foundational, not retrofitted.

We do not yet hold formal certifications such as SOC 2 or ISO 27001, and we won't imply otherwise with borrowed badge walls. If your evaluation requires specific security details, ask — we'd rather answer a hard question directly than decorate this page.

Found a vulnerability? Please report it to agourhassan50@gmail.com and we will respond promptly.

Bring structure to affiliate compliance

Start free with the complete monitoring loop, or talk to us about what your program needs. No credit card required.

GetAffilert helps teams detect and organize compliance risk. It does not provide legal advice.