How we keep you safe
Security is not an afterthought at Wordelly. It is built into every layer of the platform. Here is what we do to protect your account and data.
Encrypted in transit
All connections use TLS 1.3. We enforce HTTPS across every endpoint and redirect all plain HTTP requests.
Encrypted at rest
Your data is stored with AES-256 encryption on Supabase-hosted PostgreSQL databases.
Secure authentication
Passwords are hashed with bcrypt (cost factor 12). We support OAuth 2.0 sign-in via Google. Session tokens are rotated on every login.
Input validation
All user inputs are validated and sanitised server-side. We protect against SQL injection, XSS, and CSRF attacks.
Dependency management
Dependencies are audited regularly with automated scanning. We apply security patches within 48 hours of a disclosed vulnerability.
Access controls
Internal access to production data is strictly limited and logged. No single employee can access user data without a logged reason.
Payment security
We never store card numbers. All payments are handled directly by Paddle, a PCI DSS certified payment merchant of record.
Audit logging
Critical actions (sign-in, plan changes, data deletion) are logged with timestamps and IP addresses for accountability.
Responsible disclosure
If you discover a security vulnerability in Wordelly, please report it responsibly to support@wordelly.com before disclosing it publicly. We will acknowledge your report within 48 hours, investigate promptly, and credit you if you wish. Please do not attempt to access, modify, or delete other users' data as part of any testing.