Security & Trust

• In transit: every request to Stash is served over HTTPS (TLS 1.2+). Plain HTTP is redirected.
• At rest: your database and uploaded photos are encrypted on disk using AES-256 by our infrastructure provider.
• Passwords: never stored in plaintext. They're hashed with bcrypt inside our authentication provider — even we can't read them.

• Row-level security (RLS): every table that holds your data has database-enforced policies. The query layer cannot return another user's items, photos, or properties — even if the application code has a bug.
• Per-property sharing: co-hosts, cleaners, and staff only see the properties you explicitly invite them to.
• Guest links: are scoped, revocable tokens. You can rotate or disable them at any time from the property's share menu.

• Your data is yours. We do not sell it, rent it, or use it to train AI models.
• We're aligned with GDPR and CCPA: you can export or permanently delete your account and all related data from your settings.
• Read the full Privacy Policy for details on what we collect and why.

All billing runs through Paddle.com, our Merchant of Record. Card numbers never touch Stash servers — Paddle is PCI-DSS Level 1 certified.

• Hosting and database are operated by tier-1 cloud providers with SOC 2 Type II audited data centers.
• Automated daily database backups with point-in-time recovery.
• Application code is deployed via reviewed releases — no direct production access.

We publish a live status page with real-time uptime and any active incidents: status.mystash.online.

If you've found a security issue, please email support@mystash.online with details and steps to reproduce. We respond within two business days and credit responsible reporters once a fix ships.

We're transparent about our stage: Stash is not currently SOC 2 or ISO 27001 certified. If your organization needs a formal audit before adopting Stash, email support@mystash.online and we'll share our roadmap.