Security

Clear Plates is hosted on Vercel (frontend and API routes) and Supabase (database and authentication), both built on AWS infrastructure.

The database runs on AWS us-east-1 with Supabase-managed Postgres, which provides automatic backups, point-in-time recovery, and encrypted storage.

All API routes run as isolated serverless functions with no shared state between requests.

Static assets are served through Vercel's global edge network with automatic DDoS protection.

All data in transit is encrypted with TLS 1.2+. Every connection to clearplates.com is served over HTTPS with HSTS enabled (max-age 1 year, includeSubDomains).

Data at rest is encrypted using AES-256 via Supabase's managed Postgres, which encrypts the underlying storage volumes.

Payment data never touches our servers. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor.

User authentication is managed by Supabase Auth with secure JWT tokens. Passwords are hashed with bcrypt (never stored in plaintext).

Every API request is verified server-side. The JWT token is validated, and the user's organization ID is extracted to enforce strict org isolation — you can only access your own fleet's data.

Admin impersonation (“View As”) mode is read-only. Write operations are blocked on all 29 mutation routes when an admin is viewing another organization's data.

Dashboard sessions automatically expire after 30 minutes of inactivity, with multi-tab awareness. The session timer checks across all open tabs before signing out.

All user input is validated server-side using Zod schemas on every mutation route. Invalid input returns field-specific error messages without exposing internal details.

Rate limiting is enforced per IP address across all routes: authentication endpoints (5–10 req/min), public endpoints (5–10 req/min), API proxy routes (30 req/min), and general requests (120 req/min).

Security headers are set on every response: X-Frame-Options DENY, X-Content-Type-Options nosniff, Strict-Transport-Security, and Referrer-Policy strict-origin-when-cross-origin.

Cron endpoints use timing-safe secret comparison to prevent timing attacks on authentication tokens.

Error responses are sanitized — raw database errors are logged internally but never returned to users. Constraint violations, for example, return “This record already exists” rather than exposing table or column names.

Fleet data (vehicles, drivers, assignments) is isolated per organization at the database level. Row-Level Security (RLS) policies are enabled on all tables.

Violation data is sourced from publicly available NYC Open Data APIs. We store a local copy for performance but do not modify the underlying data.

The renter portal uses token-based access with rate limiting (30 requests per minute per token). Tokens are unique per renter and do not expose organization-level data.

We do not sell, share, or monetize your fleet data. Your data is used solely to provide the Clear Plates service.

All payment processing is handled by Stripe, which maintains PCI DSS Level 1 certification — the highest level of compliance in the payments industry.

Credit card numbers, CVVs, and bank account details are processed entirely by Stripe and never stored on our servers.

Stripe webhook events are verified using signature validation to prevent spoofed payment notifications. Webhook processing is idempotent to prevent duplicate charges.

Saved payment methods use Stripe's tokenized storage. We only store the last 4 digits and card brand for display purposes.

Clear Plates is designed with privacy in mind. We collect only the data necessary to provide the service: account information, fleet data, and usage logs.

Our crawlers (the search bots that index content) are allowed, but training crawlers are blocked. We differentiate between AI search crawlers and AI training crawlers in our robots.txt policy.

For details on data collection, usage, and your rights, see our Privacy Policy. For terms governing use of the platform, see our Terms of Service.

All API errors are logged to an internal error_log table with user context, request path, and timestamps. The admin panel provides real-time error monitoring.

Violation sync jobs run nightly with retry logic and concurrency controls. Failed syncs are tracked in the violation_syncs table and flagged for review.

If you discover a security vulnerability, please report it to hello@clearplates.com. We take all reports seriously and will respond within one business day.