Splash
Security

Built so the boring never becomes the news.

Splash handles customer details, photos, and payments. We treat that responsibility seriously and design defensively at every layer.

Encryption everywhere

TLS 1.2+ in transit. Data at rest encrypted with AES-256. Database backups encrypted and access-controlled.

Strong authentication

Argon2id password hashing. Session tokens are signed and short-lived. SSO and 2FA on the roadmap for Pro and Scale.

Least-privilege access

Production access is limited to a small on-call group. All access is logged and reviewed.

Tenant isolation

Every query is scoped by business id at the application layer. Customer A cannot read or write customer B's data.

PCI scope minimized

Payment card data flows directly to Stripe. Splash never sees full PANs and is not in PCI scope for cardholder storage.

Hardened headers

HSTS preload, X-Frame-Options DENY, strict referrer policy, and tight permissions policy applied to every response.

Audit logging

Sensitive admin actions are logged with actor, IP, and timestamp for forensic investigation.

Secure development

Mandatory code review, automated dependency scanning, and a private security review before every major release.

Infrastructure

  • Hosted on a major cloud provider with SOC 2 Type II controls.
  • Managed Postgres with daily encrypted backups and point-in-time recovery.
  • Object storage for photos with signed, expiring URLs and per-tenant prefixes.
  • Separate environments for development, staging, and production with no shared credentials.

Application & data

  • All endpoints rate-limited; abusive traffic blocked at the edge.
  • Webhooks signed with HMAC-SHA256 and timestamp-validated.
  • Customer data is portable and exportable on request.
  • Photo retention follows the customer's plan; data is removed at the end of the retention window.

Payments

  • All card data is tokenized by Stripe; Splash receives only metadata.
  • Operators connect their own Stripe accounts via Stripe Connect Standard.
  • Splash does not custody funds — payouts flow directly from Stripe to the operator's bank account.
  • Refunds are auditable with timestamps and the acting admin.

People & process

  • Background checks for employees with production access.
  • Mandatory MFA on every admin account and infrastructure provider.
  • Quarterly access reviews; immediate revocation on offboarding.
  • Incident response runbooks with on-call rotations.

Responsible disclosure

Found a security issue? We'd love to hear from you. Please email the team via the contact page with [security] in the subject line. We acknowledge reports within one business day and aim to fix qualifying issues quickly. We do not currently run a paid bounty, but we recognize researchers in our changelog.

Report a vulnerability →

Compliance & attestations

Splash is in private beta. SOC 2 Type II is on the roadmap; a gap assessment is underway. A signed Data Processing Addendum is available on request and is published in summary form on our DPA page.

GDPR-alignedCCPA-alignedStripe Connect StandardTLS 1.2+

Note: Final legal and security review required before any of these statements appear on a publicly launched site.