Security by design.

Our infrastructure uses Railway for application hosting and Supabase for database services. Production systems are isolated from development and staging environments.

We use defense-in-depth — layered controls across network, application, identity, and data tiers — to limit the impact of any single failure or compromise.

Data in transit between you and the service is protected with TLS 1.2 or higher. Data at rest in our databases and object storage is encrypted using AES-256 or equivalent industry-standard algorithms.

Encryption keys are managed by our cloud providers' key management services with strict access controls and audit logging.

Access to production systems is restricted to authorized personnel who require it for their role. We enforce strong authentication including multi-factor authentication, and we follow the principle of least privilege.

All access to production data is logged. Logs are reviewed regularly and retained for the period required by applicable regulations.

We follow secure development practices, including code review, dependency scanning, and automated testing. Third-party libraries are kept up to date and monitored for known vulnerabilities.

We integrate with Google APIs using OAuth 2.0 and request only the scopes required to operate the service. We never store Google account passwords.

Our systems are continuously monitored for availability, performance, and security events. Anomalies trigger alerts to our engineering team for investigation.

We maintain an incident response process for handling security events. In the event of a confirmed breach affecting your data, we will notify affected customers in accordance with applicable law.

Customer data is backed up regularly. Backups are encrypted and stored separately from production systems. We test our recovery procedures periodically to ensure we can restore service in the event of a major incident.

If you believe you have discovered a security vulnerability in our service, please report it responsibly to hello@rankonmaps.app. Include enough detail for us to reproduce the issue, but do not include secrets, customer data, or destructive proof-of-concept steps. We appreciate responsible disclosure and will work with researchers in good faith.