Security

​

Infrastructure

• Hosted on Vercel – global edge network with automatic DDoS protection
• Database on Supabase – PostgreSQL with row-level security, encrypted at rest
• Cache on Upstash Redis – encrypted, serverless Redis with TLS
• DNS on Cloudflare – additional DDoS protection and SSL termination

​

Authentication

​

API Keys

• All API keys are hashed before storage – we never store plaintext keys
• Keys are prefixed by type for easy identification:
  • ak_live_ – merchant keys
  • ak_aff_ – affiliate keys
  • ak_onb_ – onboarding keys
• Keys are scoped – each key only has access to the permissions you grant
• Keys can be revoked instantly from the dashboard

​

Webhook Signatures

• All outbound webhooks are signed with HMAC-SHA256
• Signing secrets are derived per-endpoint (not shared across endpoints)
• Timestamp validation prevents replay attacks
• See Signature Verification for implementation details

​

Data Protection

​

What We Store

​

What We Don’t Store

• Credit card numbers (handled entirely by Stripe)
• Customer passwords
• Raw Stripe webhook payloads (processed and discarded)

​

Cookies

• First-party only – no third-party cookies
• SameSite=Lax – prevents CSRF
• HttpOnly where applicable
• Cookie names: agentref_cid, agentref_pid, agentref_src, agentref_vid, agentref_ts

​

GDPR & Privacy

• Consent mode – tracking script supports deferred consent (data-consent="false")
• No cross-site tracking – all cookies are first-party
• Data minimization – we only collect what’s needed for attribution
• Right to deletion – affiliates and merchants can request account deletion
• See Consent & GDPR for implementation details

​

Responsible Disclosure

If you discover a security vulnerability, please email security@agentref.co. We take all reports seriously and will respond within 48 hours.