Security & Responsible Disclosure
Security approach
Security is treated as an ongoing engineering and operational process. Controls are selected for the current risk profile and are tested in the release pipeline. No website can promise absolute security.
Current controls
- HTTPS and production security headers, including HSTS, Content Security Policy, frame protection, and restrictive browser permissions.
- Secure HttpOnly SameSite session cookies, single-use magic links, session rotation, revocation, and server-side role checks.
- Server-side entitlement and price enforcement; premium question and media delivery requires authorization.
- Stripe-hosted card entry, webhook signature verification, event idempotency, and payment reconciliation controls.
- Input validation, origin checks, request-size limits, hashed-identifier rate limits, safe errors, structured redacted logs, and admin audit records.
- Secret scanning, dependency checks, migration checks, automated security tests, and documented incident, backup, rollback, and rotation procedures.
Payment data
Full payment-card numbers and CVC values are entered on Stripe-hosted Checkout and are not intentionally stored by this application. The app stores limited Stripe references, payment state, amount, currency, plan, entitlement, refund/dispute state, and policy versions.
SOC 2 and assurance status
Irish Theory Test Coach is not currently represented as SOC 2 certified, SOC 2 compliant, or independently audited against SOC 2. SOC 2 is an examination performed by an independent licensed CPA firm against defined controls; it cannot be self-awarded by adding a page or checklist. A hosting or payment provider's report applies to that provider and does not automatically certify this product.
Responsible disclosure
Email uzairwaseem29@gmail.com with the affected URL, time, impact, and safe reproduction steps. Do not access other people's data, use real payment cards, degrade service, send malware, extort the operator, or publish exploitable details before a reasonable remediation window. This is a reporting channel, not a paid bug-bounty promise.
Incident response
Reports are triaged using the operational incident runbook. Where a personal-data breach creates a legal notification duty, the operator will follow the applicable regulator and affected-person notification requirements.
Account safety
Do not forward magic links. Use Logout all devices if account access is in doubt, secure the associated email account, and contact support for unexpected purchases, entitlement changes, or restore messages.