Approveda is built to handle sensitive business and government data. Here is how we protect it.
Infrastructure
Hosting: Vercel (edge deployment, SOC 2 Type II certified)
Database: Neon PostgreSQL (encrypted at rest, SSL connections required)
Authentication: NextAuth with JWT tokens signed with a 256-bit secret. Google OAuth and email/password authentication supported.
Payments: Stripe (PCI DSS Level 1 compliant). No card data touches our servers.
Email: Resend (transactional email only, no marketing automation)
Application Security
All connections encrypted via HTTPS/TLS.
Passwords hashed using bcrypt with salt rounds.
API routes protected with session validation and CRON_SECRET for automated endpoints.
No sensitive data logged in application logs.
Checkpoint Security
Application data is isolated by agency. No cross-agency data visibility.
Submissions are secured with SHA-256 cryptographic hash chains. Each submission's integrity can be independently verified.
Applicant PII is visible only to the agency that received the application.
The hash chain creates an immutable record of what was submitted and when. Tampering with any record breaks the verification chain.
Data Isolation
ClearedPath user data stays in ClearedPath. Checkpoint government data stays in Checkpoint. The only bridge is a one-way submission: when an applicant explicitly submits an application through Checkpoint, that data moves to the agency's queue. After submission, ClearedPath has no visibility into Checkpoint's internal processing.
Responsible Disclosure
If you discover a security vulnerability, please report it to will@ssgr.us. We take all reports seriously and will respond within 48 hours.