Security at Linkos

We protect the accounts, profiles, and payment context creators trust us with.

This page documents the current Linkos security posture, our main subprocessors, and how to report a vulnerability. It is updated as controls ship.

Last reviewed: July 4, 2026Responsible disclosure: security@linkos.bio

Data We Handle

  • Account data such as email address, name, username, avatar, and authentication metadata.
  • Profile content such as links, public bio pages, themes, custom domains, forms, and creator settings.
  • Product usage data such as subscription state, feature usage, analytics events, and support context.
  • Payment-related identifiers such as Stripe customer, price, subscription, and checkout references. Linkos does not store full card numbers.

Baseline Controls

Stripe webhook signatures are verified before subscription updates are trusted.
Database access is routed through Prisma instead of hand-written raw SQL queries.
Authentication uses NextAuth with JWT sessions, production secure cookies, and sameSite=lax cookies.
Security headers are configured globally, including HSTS, nosniff, frame blocking, referrer policy, permissions policy, and CSP report-only monitoring.
Cloudflare Turnstile is used on selected anti-abuse surfaces where configured.
Pull requests are scanned with gitleaks to catch accidental secret exposure before merge.

Subprocessors

MongoDB
Primary application database for account, profile, and product data.
Stripe
Checkout, subscriptions, invoices, payment status, and customer billing records.
Sanity
CMS content and editorial assets.
Supabase
User-uploaded asset storage where configured.
UploadThing
File upload handling for supported upload flows.
Resend
Transactional email delivery.
Google OAuth
Optional sign-in provider.
Cloudflare Turnstile
Bot and abuse prevention on selected forms.
Coolify
Application deployment and runtime operations.
OpenAI
AI-assisted content features when users invoke those tools.
Analytics vendors
Product and marketing analytics where configured, including Google Analytics, Microsoft Clarity, DataFast, and Ahrefs.

Report A Vulnerability

Email security@linkos.bio with a clear description, reproduction steps, affected URLs or accounts, and any evidence that helps us verify the issue.

Please avoid accessing, modifying, or deleting data that is not yours. We appreciate good-faith reports and will prioritize confirmed security issues.