Your data security matters to us. Salepager is built on trusted, enterprise-grade platforms and partners that provide robust security at every level.
Last updated: January 15, 2025
1. Our Approach to Security
Salepager is built on top of trusted, enterprise-grade platforms and service providers. Rather than building security infrastructure from scratch, we deliberately chose vendors with proven security track records so that your data benefits from the same protections used by thousands of businesses worldwide.
We are continuously mindful of our customers' privacy and operate on the principle of least privilege — our software is designed to request the most limited access to customer resources necessary to deliver a seamless experience. We retain a minimal amount of customer data and limit access to all customer data on a need-to-know basis internally.
Our key technology partners include:
Bubble.io: Our application platform, which provides hosting, database management, encryption, and application-level security
Plaid, Inc.: Our bank data integration partner, which securely handles all bank account connections and credential management
Stripe, Inc.: Our payment processing partner, which handles all payment transactions, billing, and sensitive financial data
Cloudflare, Inc.: Our domain and CDN provider, which delivers DNS management, DDoS protection, and edge security
Pathfix: Our OAuth integration proxy, which securely manages third-party OAuth tokens without exposing credentials to Salepager's servers
SimplePager.ai: Our lead capture and landing page partner, which handles form submissions and lead data collection
This page outlines the security measures provided by these vendors and partners, and how they work together to protect your data when you use Salepager.
2. Sub-Processors
Salepager relies on the following third-party sub-processors to deliver our service. Each sub-processor has been selected for their strong security posture and compliance certifications. The table below lists each vendor, their role in our platform, and a link to their privacy or security documentation.
Vendor
Purpose
Privacy / Security Page
Bubble.io
Application platform, database hosting, and infrastructure (hosted on AWS)
Lead capture forms and landing page infrastructure
Available on request
Sub-Processor Change Notification
We may update our list of sub-processors from time to time as our platform evolves. When we add, replace, or remove a sub-processor, we will update this page and revise the "Last updated" date at the top. We recommend checking this page periodically to stay informed of any changes.
If you have questions about any of our sub-processors or their security practices, please contact us using the details in the Contact section below.
2. Platform Infrastructure (Bubble & Cloudflare)
Salepager is built on Bubble.io, a leading no-code application platform, with Cloudflare providing domain management and edge security. Together, they provide the following infrastructure security measures:
SOC 2 Type II compliant hosting: Bubble hosts applications on AWS (Amazon Web Services), which supports over 143 security standards and compliance certifications, and maintains SOC 2 Type II compliance with 24/7 physical security, biometric access controls, and environmental protections at its data centers
GDPR compliance: Bubble meets GDPR standards, providing the data processing controls and agreements necessary to support compliance for users in the European Union and beyond
Network security: Bubble's infrastructure includes firewalls, network segmentation, and DDoS protection provided by AWS and Cloudflare
Cloudflare edge protection: Cloudflare provides DNS management, SSL/TLS termination, Web Application Firewall (WAF), bot mitigation, and global CDN caching to protect against attacks at the network edge
DDoS mitigation: Cloudflare's global network automatically detects and mitigates distributed denial-of-service attacks before they reach our application infrastructure
High availability: Applications are deployed across multiple AWS availability zones with automatic failover to minimize downtime
Change tracking & audit logs: Bubble maintains extensive logs of changes and supports point-in-time data and version recovery, providing a full audit trail of platform-level activity
Monitoring: Bubble provides real-time monitoring and alerting for infrastructure health and performance anomalies
Data encryption is handled by our platform and infrastructure providers:
Encryption in transit: All communications between your browser and Salepager are encrypted using TLS 1.2 or higher, enforced by Cloudflare, Bubble, and AWS. HTTPS is required across all endpoints
Encryption at rest: All data stored in Bubble's databases is encrypted at rest using AES-256 encryption, provided by AWS's storage encryption services
Key management: Encryption keys are managed by AWS Key Management Service (KMS) with automatic key rotation and strict access controls
Plaid encryption: All bank data transmitted through Plaid is encrypted using AES-256 and TLS, managed entirely by Plaid's infrastructure
Stripe encryption: All payment data processed through Stripe is encrypted using AES-256 and transmitted over TLS. Stripe is a PCI DSS Level 1 certified service provider, the highest level of payment security certification
Cloudflare SSL/TLS: Cloudflare provides and manages SSL/TLS certificates for our domain, ensuring encrypted connections from the edge to the end user
Salepager does not manage encryption keys directly -- this is handled entirely by our infrastructure providers to ensure best-in-class key security.
4. Authentication & Access Controls
User authentication and access controls are provided by Bubble's built-in security features:
Secure password storage: User passwords are stored as salted password hashes using one-way hashing — an irreversible transformation that means you cannot go from the hashed password back to the original password. Plaintext passwords are never stored anywhere in our system
Session management: Sessions are securely managed by Bubble with encrypted tokens and automatic expiration
Privacy rules: Bubble's privacy rules engine controls which data each user can access, ensuring users can only view and modify their own data
Rate limiting: Bubble provides built-in rate limiting on API endpoints and login attempts to prevent brute-force attacks
We configure Bubble's privacy rules and access controls to enforce the principle of least privilege, ensuring each user only has access to their own invoices, receipts, and payment data.
5. OAuth Integration Security (Pathfix)
Salepager uses Pathfix as a serverless OAuth API proxy to securely manage third-party integrations. This approach means we avoid collecting or storing your login credentials for any connected third-party service:
No credential collection: By routing OAuth flows through Pathfix, Salepager never handles or stores your passwords for any connected service. Authentication is handled entirely by Pathfix's secure proxy
Encrypted token storage: All OAuth access tokens and refresh tokens are encrypted and stored in Pathfix's cluster servers, which are specifically designed to prevent brute-force attacks even in the event of a breach
Encryption in transit and at rest: Pathfix encrypts all data both in transit and at rest using the Advanced Encryption Standard (AES), making token data unreadable to human eyes and inaccessible from external attacks
Penetration & vulnerability audits: Pathfix servers and encryption algorithms undergo stringent penetration testing and vulnerability audits to ensure ongoing security of stored tokens and credentials
User-controlled disconnection: You can disconnect any OAuth integration at any time through your Salepager portal, which immediately revokes the associated tokens
Salepager integrates with Plaid, Inc. to securely connect your bank account for payment matching. All bank-related security is managed by Plaid:
Zero credential storage: Your bank login credentials are handled exclusively by Plaid and are never transmitted to or stored on Salepager's platform. Salepager has no access to your banking passwords
Read-only access: Our Plaid integration operates in read-only mode. Neither Salepager nor Plaid (through our integration) can initiate, modify, or reverse any bank transactions
Tokenized connections: Bank connections are represented by secure, encrypted tokens managed by Plaid. Even if a token were compromised, it cannot be used to access your bank credentials
Data minimization: We only request the transaction data necessary for payment matching (sender name, amount, date, memo) through Plaid's API
Plaid's security standards: Plaid maintains SOC 2 Type II compliance, uses AES-256 encryption, and undergoes regular third-party security audits. Learn more at Plaid's Security page
You can disconnect your bank account at any time, which immediately revokes the Plaid access token and stops any further data retrieval.
7. Payment Processing (Stripe)
Salepager uses Stripe, Inc. to securely process all payments and billing. All payment-related security is managed by Stripe:
PCI DSS Level 1: Stripe is certified as a PCI DSS Level 1 service provider, the most stringent level of certification in the payments industry. This means all credit card and payment data is handled under the highest security standards
No card data on Salepager: Credit card numbers, CVVs, and other sensitive payment details are never transmitted to or stored on Salepager's platform. All payment information is collected and processed directly by Stripe
Tokenized payments: Payment methods are represented by secure tokens managed by Stripe. Salepager only receives confirmation of payment status -- never the underlying card or bank details
Fraud prevention: Stripe provides built-in machine learning-based fraud detection (Stripe Radar) that monitors transactions in real time to identify and block fraudulent activity
3D Secure: Stripe supports 3D Secure authentication for an additional layer of cardholder verification when required
Salepager uses SimplePager.ai for lead capture forms and landing pages. SimplePager.ai handles form submissions and lead data with the following measures:
Encrypted transmission: All form submissions are transmitted over HTTPS/TLS, ensuring lead data is encrypted in transit
Data handling: Lead information (such as name, email, and inquiry details) is collected and stored securely by SimplePager.ai's infrastructure
Limited data scope: Only the information voluntarily submitted by prospects through our forms is collected -- no hidden tracking or data harvesting beyond what is disclosed
9. Application Security
Application-level security is primarily provided by Bubble's platform:
OWASP Top 10 protections: Bubble's platform includes built-in protections against common web vulnerabilities such as SQL injection, XSS (cross-site scripting), and CSRF (cross-site request forgery), validated against the OWASP Top 10
Annual penetration testing: Bubble conducts penetration tests at minimum annually, following the comprehensive OWASP Web Security Testing Guide (WSTG) to ensure thorough coverage of application-level vulnerabilities
Automated vulnerability testing: Bubble uses automated code testing and continuous monitoring technologies to detect and address vulnerabilities on an ongoing basis
Input validation: User inputs are validated and sanitized by Bubble's framework on both client and server sides
Content Security Policy: Bubble implements CSP headers to help prevent cross-site scripting and data injection attacks
Automatic updates: Security patches and platform updates are applied by Bubble automatically, ensuring the underlying infrastructure stays current without manual intervention
Dependency management: Third-party dependencies and libraries are managed and updated by Bubble as part of their platform maintenance
Because Salepager is built on Bubble's managed platform, many categories of infrastructure and application vulnerabilities are handled automatically by Bubble's engineering team.
10. Vendor Compliance & Certifications
The security certifications and compliance standards relevant to Salepager are maintained by our vendors:
Bubble / AWS -- SOC 2 Type II: Bubble's hosting infrastructure on AWS maintains SOC 2 Type II compliance, ensuring rigorous controls over security, availability, and confidentiality
Plaid -- SOC 2 Type II: Plaid independently maintains SOC 2 Type II compliance and undergoes regular third-party security audits for its bank data services
Stripe -- PCI DSS Level 1: Stripe maintains PCI DSS Level 1 certification, the highest level of payment security compliance, and also holds SOC 2 Type II certification
Cloudflare -- SOC 2 Type II, ISO 27001: Cloudflare maintains SOC 2 Type II compliance and ISO 27001 certification for its global network and security services
AWS -- ISO 27001, SOC 1/2/3: Amazon Web Services holds multiple security certifications including ISO 27001, SOC 1, SOC 2, and SOC 3
CCPA & GDPR: Bubble, Plaid, Stripe, and Cloudflare each provide tools and data processing agreements to support compliance with CCPA and GDPR requirements
Salepager does not independently hold these certifications. The security standards listed above are maintained by our vendors, and we rely on their compliance programs to protect the data processed through our platform.
11. Incident Response
In the event of a security incident, response is handled at multiple levels:
Platform-level response: Bubble and AWS have dedicated security teams that monitor for and respond to infrastructure-level security events 24/7
Plaid incident response: Plaid maintains its own incident response program for any events affecting bank data connections
Stripe incident response: Stripe operates a dedicated security team that monitors payment infrastructure around the clock and maintains its own incident response procedures
Cloudflare incident response: Cloudflare provides real-time threat monitoring and automatic mitigation across its global network, with a dedicated security response team
Salepager notification: If we become aware of a security incident that may affect your data, we will notify affected users as promptly as possible and in accordance with applicable laws
Vendor coordination: In the event of an incident, we work with our vendors to understand the scope, impact, and remediation steps
Because our infrastructure is managed by established vendors with dedicated security teams, incident detection and initial response benefit from their around-the-clock monitoring capabilities.
12. Data Backup & Recovery
Data backup and disaster recovery are provided by our platform infrastructure:
Automated backups: Bubble performs automatic daily backups of all application data, with point-in-time recovery capability
Change tracking & audit logs: Bubble maintains extensive logs of all changes with point-in-time data and version recovery, providing a full audit trail and the ability to restore to any prior state
Geographic redundancy: Backups are stored across multiple AWS regions to protect against regional outages or disasters
Backup encryption: All backup data is encrypted at rest using the same AES-256 standard as production data, managed by AWS
Recovery: Bubble's platform supports data restoration in the event of data loss or corruption
Backup scheduling, retention, and recovery procedures are managed by Bubble as part of their platform service.
13. Your Responsibilities
While our vendors provide robust security infrastructure, you also play an important role in keeping your account secure:
Strong passwords: Use a unique, strong password for your Salepager account that you do not reuse on other services
Account access: Do not share your login credentials with others. You are responsible for all activity that occurs under your account
Suspicious activity: If you notice any unauthorized activity on your account, contact us immediately so we can help secure it
Bank connections: Review your connected bank accounts periodically and disconnect any accounts you no longer wish to use with Salepager
Device security: Keep your devices and browsers up to date with the latest security patches
14. Contact Us
If you have any security concerns, questions about our vendors' security practices, or want to report a potential vulnerability, please reach out: