Security you can verify
Every layer of Provn is built with privacy, security, and authenticity at its core. Here's exactly how we protect your data and ensure every review is genuine.
Triple Verification System
Every Provn review passes three independent verification checks before earning the "Verified" badge.
Location Verification
GPS coordinates captured at scan time and compared against the registered property address. Raw coordinates are discarded after verification — only the pass/fail status and distance are stored.
Configurable radius (50m–500m)
IP geolocation cross-check
GPS accuracy threshold filtering
Spoofing detection via device fingerprinting
Identity Confirmation
Every QR code is pre-assigned to a named recipient with a verified email address. No anonymous reviews. No competitor sabotage. Each code is single-use and tied to one specific interaction.
Pre-assigned QR codes (not generic links)
Email-verified reviewer identity
Cryptographically signed single-use tokens
Anti-replay protection on all tokens
Time Validation
Reviews are triggered 1–4 hours after the check-in, ensuring feedback is fresh and relevant. The review window is configurable (1–30 days) with automatic expiry.
Configurable delay (30 min – 12 hours)
Automatic reminder emails (24h + 72h)
Review window with hard expiry
Timestamps recorded at every stage
Security Practices
How we protect your data at every level of the stack.
Encryption
TLS 1.3 for all data in transit
AES-256 encryption at rest
Cryptographically signed review tokens
API keys hashed — never stored in plain text
OAuth tokens encrypted in database
Infrastructure
Hosted on Vercel (SOC 2 Type II compliant)
Database on Supabase (SOC 2, ISO 27001)
No self-hosted servers — fully managed infrastructure
Automatic security patches and updates
DDoS protection via Vercel Edge Network
Privacy by Design
Raw GPS coordinates discarded after verification
Only distance and pass/fail status retained
No tracking cookies on consumer-facing pages
GDPR-compliant data processing
One-click account deletion with full data purge
Compliance
GDPR compliant (EU data protection)
SOC 2 infrastructure (Vercel + Supabase)
HSTS enforced (2-year max-age)
Content Security Policy headers
X-Frame-Options, X-Content-Type-Options
API Security
API key authentication with daily rate limits
Per-plan rate limiting with burst protection
Distributed rate limiter (serverless-safe)
CORS restricted to registered domains
Cryptographically signed webhook payloads
Access Control
Role-based access (Owner, Admin, Member)
Plan-based feature gating (server-side enforced)
Supabase Auth with session management
Admin access restricted to approved email list
Team member limits enforced per plan tier
Data Handling
What we collect, why, and how long we keep it.
| Data Type | Purpose | Retention |
|---|---|---|
| GPS Coordinates | Location verification | Discarded after verification (seconds) |
| Verification Distance | Audit trail | Retained while account active |
| Review Content | Display + analytics | Retained while account active |
| Reviewer Email | Identity verification | Retained while account active |
| IP Address | Rate limiting + anti-spoofing | 24 hours |
| Device Fingerprint Hash | Anti-spoofing | Hashed — not reversible |
| API Keys | Authentication | SHA-256 hashed — not stored in plain text |
Report a Vulnerability
If you've found a security issue, we want to hear about it. We take all reports seriously and will respond within 24 hours.
Report Securely