Security & Trust

1. Our Commitment

ROLLIN processes accessibility data for tens of thousands of locations and serves users who depend on that data to navigate the physical world. Security isn't a feature we bolt on — it's embedded in how we architect, deploy, and operate every layer of the platform.

2. Infrastructure

Our platform runs on a serverless architecture distributed across a global CDN. There are no persistent servers to compromise or patch. All traffic is encrypted via HTTPS with modern TLS. DDoS protection and web application firewall capabilities are enforced at the edge.

Our infrastructure providers maintain independent third-party compliance certifications including SOC 2. Database backups, network isolation, and automated failover are handled at the infrastructure level.

3. Authentication & Access Control

User passwords are irreversibly hashed using industry-standard algorithms before storage. Plaintext passwords are never stored, logged, or accessible to any personnel. We support email/password and OAuth authentication flows, with sessions managed via secure, httpOnly tokens.

API keys are cryptographically hashed before storage and displayed exactly once at generation. Lost keys must be revoked and regenerated. All API endpoints enforce tiered rate limiting with multiple enforcement windows. Administrative access follows the principle of least privilege with elevated verification requirements.

All secrets, credentials, and environment variables are stored in encrypted configuration and never committed to source control or exposed in client-side code.

4. Data Protection

• Payments: We never store, process, or have access to full payment card numbers. All payment processing is handled by a PCI DSS Level 1 certified processor.
• Analytics: We use privacy-first, cookie-free analytics. No third-party advertising trackers, retargeting pixels, or cross-site tracking is present on our platform.
• Community data: Individual contributions are anonymized when aggregated. Internal quality scores are never exposed publicly.
• Location privacy: We do not track your geographic location. Geolocation is only requested when you explicitly use location-based features, and can be revoked at any time.

Data at rest — including credential hashes and sensitive account data — is encrypted using standard encryption provided by our database infrastructure.

5. Mobile App Security

The ROLLIN Concierge iOS application is designed with mobile-specific security controls. Authentication tokens are stored in the iOS Keychain, which is hardware-encrypted and isolated per application. The app contains no third-party advertising SDKs, analytics trackers, or cross-app tracking libraries. Network communication is restricted to TLS-pinned endpoints operated by ROLLIN. The app respects all iOS system privacy controls, including location permissions, push notification authorization, and App Tracking Transparency. Device motion sensor data used for visual effects never leaves the device.

6. Database Access Control

User-facing data is protected by row-level security policies enforced at the database layer. Access policies are applied uniformly across all client surfaces — web, iOS, and API — and cannot be bypassed by the application code. Administrative access requires a separate elevated verification pathway that is independent of standard user authentication. Internal administrative endpoints are protected by a rotating secret header in addition to origin and user-agent validation.

7. API Security

The ROLLIN API is designed with defense-in-depth principles. All endpoints require authenticated access. Multiple layers of rate limiting protect against abuse. Pagination and identifier schemes are designed to resist enumeration and bulk extraction. Automated monitoring flags anomalous request patterns, and flagged activity may result in access restrictions.

API keys can be revoked instantly from the Developer Portal with no propagation delay.

8. Responsible Disclosure

If you discover a security vulnerability, please report it to security@stacklinestudio.com with a detailed description and steps to reproduce. We commit to acknowledging reports within 48 hours.

We will not pursue legal action against good-faith security researchers, provided they avoid accessing other users' data, allow reasonable remediation time before disclosure, and do not degrade platform availability.

9. Compliance

We maintain HTTPS everywhere, PCI compliance through our payment processor, privacy-first analytics, database-level access control policies, hashed credentials, and tiered rate limiting across all endpoints. We continuously evaluate our security posture and pursue additional certifications as the platform scales.

For security questions or enterprise evaluation requests, contact security@stacklinestudio.com.