Engineered around regulated workloads.

Production runs on hardened cloud (region-pinned) with rotating credentials, signed deployments, and 24/7 observability. All traffic terminates TLS 1.3 at Cloudflare and is re-encrypted to origin. Postgres uses row-level security for every table that touches user data.

Authentication is Supabase Auth with optional Google OIDC. Admin privileges are gated by a separate user_roles table enforced via a SECURITY DEFINER function. Long-lived secrets are stored in Cloudflare bindings, never committed to source.

Card data flows directly from the user's browser to Stripe via Stripe.js — Avarex never sees PAN or CVV. Webhooks are signature-verified using stripe.webhooks.constructEventAsync; unsigned or replay events are rejected at the edge. Every successful checkout writes an idempotent ledger entry via a transactional RPC.

We welcome coordinated disclosure. Email avarextech.help@gmail.com with reproduction steps. We acknowledge within 24 hours, fix within an agreed window, and credit reporters on request. Please do not test against production data — use the sandbox endpoints with the provided test keys.

Findings on the sandbox console with test keys, content-only issues without security impact, missing headers without a demonstrable risk, and social-engineering of staff are out of scope.