Incy Links

Security at Incy Links

How we protect your data, our infrastructure, and the redirect path your visitors hit.

Data protection

  • HTTPS everywhere. Every public endpoint — the dashboard, the API, and every short link redirect — is served over HTTPS via Let's Encrypt. Custom domains get auto-issued certs that auto-renew.
  • Passwords are bcrypt-hashed. User account passwords and per-link passwords are stored as bcrypt hashes. We can't read them, and an attacker who got the DB couldn't either.
  • API keys are stored hashed. When you mint an API key, the plaintext is shown to you exactly once. We store SHA-256 of the key — verification compares hashes.
  • Sessions use HTTP-only secure cookies. Not readable from JavaScript, only sent over HTTPS in production.
  • CSRF tokens on every state-changing request. Forms include a per-session token validated on the server. The API uses bearer tokens instead (CSRF doesn't apply).

Click data & privacy

  • No third-party trackers on redirects. When a visitor clicks one of your short links, the only thing that happens is the redirect itself and a click row in our database. No Google Analytics, no Facebook pixel, no Bitly-style downstream pings.
  • IP-to-country lookup is server-side. We hit a single lookup API (ipapi.co) with the visitor's IP to derive a country, then discard. The IP is stored alongside the click for your debugging — visible only to you.
  • Your data, exportable. CSV export from the dashboard pulls everything you can see. No lock-in.
  • No data sales, ever. Your link metadata and click data aren't sold, syndicated, or otherwise shared with third parties.

Infrastructure

  • Hosting. Single dedicated VPS in our region (Australia/SE Asia), running PHP 8.4 on nginx with MySQL 8. Disk snapshots taken regularly by the provider.
  • Database backups. Daily binary backups retained for 14 days. Manual restore drills run quarterly. We can restore to a point in time on request.
  • Deploy pipeline. GitHub-tagged commits auto-deploy via a signed webhook. Every code change is in git history. No SSH-and-edit-on-the-server changes in production.
  • Migrations. Schema changes ship as sequential migration files applied automatically on deploy. Rollback documented per migration.

Payment security

  • Stripe-managed billing. Card details are entered directly into Stripe's hosted checkout — we never see, touch, or store card data. PCI scope is Stripe's.
  • Webhook signature verification. Every Stripe webhook payload is verified against our signing secret before any action is taken. Failed signature checks log and 400 immediately.

What we monitor

  • Live status checks at /status. Web app, database, email, billing, QR service, and disk space. Generated on every visit from production.
  • Application errors log to the server and (optionally) to Sentry for trend analysis.
  • Health endpoint at /health for external uptime monitors.

Responsible disclosure

If you've found a security issue, please email kristen@stacksy.com.au with details and a way to reproduce it. We respond within one business day, fix critical issues fast, and credit reporters who'd like to be named.

Please don't run automated scans against production without coordinating first.

What we don't have (yet)

We're honest about gaps. As a small Australian company we don't currently hold:

  • SOC 2 Type 2 attestation (talk to us if it's required for your procurement)
  • ISO 27001 certification
  • HIPAA Business Associate Agreement

If you've got specific compliance requirements, get in touch and we'll be straight about whether we can meet them.

Questions about our security posture?

Get in touch