Security

Nexrole sits between your Stripe account and your Discord server. We take that trust seriously. This page explains how we protect your data, what access we actually have, and how to report a vulnerability.

We connect to two external services on your behalf. Here's exactly what we can and cannot do:

• Encryption in transit — all data is transmitted over HTTPS/TLS. We enforce HTTPS everywhere with no HTTP fallback.
• Encryption at rest — Stripe OAuth tokens and sensitive credentials are encrypted at rest in our database using AES-256.
• Database access — our production database (Supabase/PostgreSQL) is not publicly accessible. Access is restricted to the application and specific developer IPs via VPN.
• Secrets management — API keys and secrets are stored as environment variables, never committed to source code. We rotate keys regularly.
• Minimal data retention — activity logs are purged after 90 days. We do not retain data longer than necessary.

• Hosting — the Nexrole web app is hosted on Vercel with edge deployment across multiple regions. The Discord bot runs on Railway with automatic restarts.
• Webhook security — all inbound Stripe webhooks are verified using Stripe's webhook signature (HMAC-SHA256) before any processing occurs. Unverified events are rejected.
• Idempotency — every webhook event is logged with its Stripe event ID before processing. Duplicate events are silently ignored, preventing double-grants or double-revokes.
• Rate limiting — API routes are rate-limited to prevent abuse. Discord API calls respect Discord's rate limits with automatic backoff.

• Employee access to production systems is limited to a need-to-know basis and requires two-factor authentication.
• We do not share credentials between employees. All access is individually auditable.
• Customer data is never accessed by employees unless required to investigate a reported issue, and only with the customer's knowledge.

If you discover a security vulnerability in Nexrole, please report it to us before making it public. We will acknowledge your report within 48 hours, investigate promptly, and keep you updated on our progress.

Report security issues to: security@nexrole.io

Please include: a description of the issue, steps to reproduce, and your assessment of potential impact. We ask that you give us reasonable time to patch before any public disclosure. We do not currently offer a formal bug bounty, but we will credit researchers who report valid issues (with their permission).

If you suspect your Nexrole account has been compromised, take the following steps immediately:

• Change your password via your Google/Discord account settings (since we use OAuth, changing the linked account's password is the most effective step).
• Revoke Nexrole's Stripe OAuth access from your Stripe dashboard under Connected Applications.
• Remove the Nexrole bot from your Discord server until the issue is resolved.
• Contact us at security@nexrole.io so we can investigate and assist.