Security & Responsible Disclosure
Last updated: July 2026
Security is foundational to Facet Cloud. This page describes how we protect your account and content, and how to report a vulnerability if you find one. It complements our Privacy Policy.
1. How we protect your data
- Encryption in transit: All traffic to get-facet.com and to sites we host is served over HTTPS (TLS). Certificates are provisioned and renewed automatically.
- Tenant isolation: Each customer's site runs as an isolated instance with its own database and storage. One customer cannot read another customer's data.
- Password storage: Account passwords are never stored in plain text — they are hashed with a modern, salted algorithm (bcrypt).
- Payment data: Card details are handled entirely by Stripe, a PCI-DSS Level 1 certified processor. We never see or store full card numbers.
- Least-privilege access: Administrative access to production systems is restricted, authenticated, and logged.
- Backups: Customer data is backed up regularly so it can be restored in the event of a failure.
2. Reporting a vulnerability
If you believe you have found a security vulnerability in Facet Cloud, please report it to us privately at [email protected]. Please include:
- A description of the issue and its potential impact.
- Clear steps to reproduce it (a proof of concept helps).
- Any relevant URLs, request/response captures, or screenshots.
We aim to acknowledge reports within 3 business days and to keep you updated as we investigate and remediate.
3. Safe harbour
We will not pursue legal action against researchers who act in good faith and follow this policy. To stay within safe harbour, please:
- Give us a reasonable opportunity to fix an issue before disclosing it publicly.
- Only access, modify, or delete data that belongs to your own test accounts — never another user's data.
- Avoid privacy violations, service degradation (including denial-of-service and spam), and social-engineering of our staff or customers.
- Do not use automated scanners that generate high-volume, disruptive traffic.
4. Out of scope
The following are generally not eligible reports:
- Missing security headers or best-practice recommendations with no demonstrated impact.
- Reports from automated tools without a working proof of concept.
- Vulnerabilities in third-party services (report those to the relevant vendor).
- Content published by customers on their own sites (report abuse via our Copyright or Acceptable Use channels instead).
5. Reporting a data breach
If we become aware of a personal-data breach that is likely to pose a risk to affected individuals, we will notify the relevant supervisory authority and affected users as required by applicable law, including the New Zealand Privacy Act 2020 and the GDPR. If you suspect your account has been compromised, contact [email protected] immediately.