← Home

Security

PerfectFit is a B2B SaaS size-recommendation service. This page documents our security posture and our commitments regarding partner data. Last updated: May 25, 2026.

Responsible disclosure

Suspect a vulnerability on PerfectFit? Email security@perfectfit.local. We acknowledge receipt within 48 business hours and ship a fix within 30 days (90 days for vulnerabilities not remotely exploitable). See also our security.txt (RFC 9116).

API authentication

Each tenant receives an API key stored hashed (SHA-256) in the database. The raw key is never logged or exposed. Verification via a PostgreSQL RPC in SECURITY DEFINER restricted to the service_role role. Accepted via the x-pf-raw-key header,Authorization: Bearer, or X-API-Key.

Rate limiting

Sliding window of 60 s by default, configurable per tenant via the api_keys.rate_limit column. 429 response with Retry-After and X-RateLimit-* headers.

Data isolation

PostgreSQL Row Level Security enabled on all sensitive tables (api_keys, admin_users, recommendation_clicks,sizing_events, rate_limit_buckets). Only the service_role role on the API side accesses the data; the anon and authenticated roles can only access public reference data (size charts).

Hosting and encryption

Vercel hosting (CDG1 Paris region) + Supabase EU-West-1 (Dublin). All communications over TLS 1.2+. HSTS preload enabled (max-age=63072000). Data at rest encrypted with AES-256 (Supabase managed).

CORS

Origins explicitly allowlisted via the NEXT_PUBLIC_API_ALLOWED_ORIGINS variable. Unauthorized origins do not receive an Access-Control-Allow-Origin header → blocked by the browser.

Administrator passwords

bcrypt hashing (12 rounds). Legacy SHA-256 hashes are migrated transparently to bcrypt on the first login after deployment.

Logs and observability

Structured logs with no personal data or schema details (no leak of column names or constraints). Vercel log retention 30 days by default.

Subprocessors

Vercel Inc. (hosting) · Supabase Inc. (database + auth + storage) · Anthropic PBC (Claude Vision for OCR extraction of labels). No other provider has access to customer data.

Hall of Fame

No researcher has reported a valid vulnerability yet. The first will be credited here (if they wish), with a link to their professional profile.