Infrastructure
Vumo runs on Vercel and Supabase, both SOC 2 Type II certified. Data is encrypted at rest (AES-256) and in transit (TLS 1.3). We do not operate our own data centers.
Authentication
We use passwordless magic codes delivered via Resend. Codes are hashed at rest with scrypt, expire after 10 minutes, and are single-use. We do not store plaintext passwords — there are none.
Row-level security
Every Supabase table has RLS enabled. Hosts can only read and write their own events, invites, and payments. Service-role access is restricted to server-side code that runs on trusted infrastructure.
Payments
Stripe Connect handles all card data. Vumo never sees your card number or your guests'. Payouts go directly from guests to the host's connected Stripe account.
Invite-link security
Every guest receives a unique UUID token. Tokens are single-use for check-in and impossible to guess. If you believe a token has been shared, you can revoke and reissue from the host dashboard.
Incident reporting
Found a security issue? Email security@vumo.app. We acknowledge within 24 hours and credit responsible disclosures.