Security at PestPaid

Encryption

All connections use TLS 1.3. Data at rest in Neon Postgres is encrypted with AES-256.

Data storage

Customer data is stored on Neon (Postgres), hosted on AWS. Photos and uploaded files are stored on Cloudflare R2. Both providers are SOC 2 Type II certified.

Authentication

Logins are managed by Clerk, with email/password (NIST SP 800-63B-aligned: 8-character minimum, breach-checked against the haveibeenpwned database on signup and password change, and rejected if the password is low-entropy), Google sign-in, and passwordless 6-digit email codes. We do not store your password — Clerk does, hashed with Argon2id.

Multi-factor authentication

Coming in our v2 release: optional TOTP 2FA for all users.

Sessions

You can see your active sessions in Account Settings and log out remotely from any device.

Payments

Your PestPaid subscription is billed through Lemon Squeezy, our Merchant of Record. They collect and remit US sales tax (and EU VAT for EU customers) and issue tax-compliant receipts on our behalf.

Your customers' payments to you flow through Stripe directly to your bank account — PestPaid never touches the funds and never sees the card details. We do not store payment card numbers anywhere.

What we don't do

• — We never sell your customer data
• — We never share your data with advertisers
• — We never use your data to train AI models without your explicit opt-in
• — We do not take a platform fee on payments your customers make

Reporting a vulnerability

Email security@pestpaid.com. We respond within 48 hours.