The founder runs a GDPR-compliant SaaS in the UK that has not had a reportable incident in ten years. Elite Mentality uses the same stack and the same posture.
Apple Sign In and Google Sign In on mobile, both verified server-side against each provider's live JWKS. Magic-link email on web through Resend. We never store or roll our own password hashes.
Web sessions live in secure, HTTP-only cookies. Native uses opaque bearer tokens. We store only the SHA-256 hash. A compromised server log cannot replay your session.
AES-256-GCM column encryption with versioned keys and rotation support. The encryption key never appears in the database; the database never sees plaintext.
Every connection to the API, every push notification, every webhook. HSTS preloaded so downgrade attacks fail before TCP completes.
We store provider customer + subscription IDs. Card numbers, CVCs, and bank details never touch our servers. Stripe webhooks are signature-verified before any DB write.
Server-side actions run with least-privilege Prisma access. Every cron requires a shared bearer secret plus the Vercel-Cron header. Health endpoint reports per-dependency latency.
Settings → Account → Export. Returns a full JSON of your account, with anti-vision text decrypted into the export (your right under GDPR Article 15).
PII is tombstoned immediately and the row is hard-deleted after a 30-day grace window. Stripe subscriptions are cancelled as part of the purge.
Edit in-app or email hello@elitementality.co.uk. We treat correction requests as priority same-day.
You always have the right to complain to the UK Information Commissioner's Office at ico.org.uk.
Each operates under a documented data-processing agreement and only on our instructions. We'll email you in advance of any material change.
Email security@elitementality.co.uk. PGP key on request. We aim to acknowledge within 24 hours and remediate critical issues within 7 days. We'll credit you in the disclosure unless you request otherwise.