Security at Badge.io
We take the security of your badge data and your recipients' information seriously. Here's how we protect you.
Encryption in transit & at rest
All data is encrypted using TLS 1.3 in transit. Database data is encrypted at rest using AES-256. Badge cryptographic proofs use industry-standard signing.
Row-Level Security (RLS)
Every table is protected by PostgreSQL row-level security policies. Organizations can only access their own data. Super admin access is separately gated and audit-logged.
Infrastructure
Badge.io is hosted on Supabase (built on AWS). We use isolated database instances per deployment region. Regular automated backups with point-in-time recovery.
Audit logging
All admin actions are logged to an append-only audit log. Badge issuances are cryptographically signed and immutable. Webhook deliveries are logged with full request/response data.
Fraud detection
Real-time fraud scoring on badge claim events. Velocity abuse detection, disposable email detection, and location anomaly alerts. Fraudulent badges are automatically quarantined.
Access controls
Role-based access control (org_owner, org_admin, org_viewer, end_user). SSO/SAML available on Business+ plans. Multi-factor authentication support via Supabase Auth.
Report a vulnerability
Found a security issue? We operate a responsible disclosure program. Please report vulnerabilities to security@badge.io. We aim to respond within 24 hours and will credit researchers for valid reports.
Contact Security Team →