Measure Measure
Sign In Start Free Trial

Policies / Security Overview

Security Overview

Last updated: March 7, 2026

Our Commitment

Security is not an afterthought at Measure. We handle analytics data for real websites and real businesses, and we take that responsibility seriously. This page describes our security practices at a high level.

Data Transmission

  • All data in transit is encrypted via TLS 1.2 or higher
  • HTTPS is enforced on all endpoints — no plain HTTP
  • HSTS headers are set with long max-age values
  • Our tracking snippet communicates with our collection endpoint over HTTPS only

Data Storage

  • All data at rest is encrypted
  • Database backups are encrypted and stored separately from primary data
  • We do not store credit card numbers — payments are handled entirely by Stripe
  • API keys are hashed before storage; we cannot recover them if lost

Infrastructure

  • Servers are hosted in the United States on hardened infrastructure
  • Access to production systems is restricted to authorized personnel only
  • We use environment variable management to keep secrets out of source code
  • Dependencies are audited regularly for known vulnerabilities

Application Security

  • Authentication uses magic-link codes via email — no passwords to leak
  • Session tokens are rotated on authentication
  • All admin actions are gated by authentication and authorization checks
  • Input validation and parameterized queries prevent SQL injection
  • CSRF protection is enabled on all state-changing endpoints
  • Content Security Policy headers restrict script execution

Privacy by Design

Measure does not collect personal data from your website visitors — this is the best security posture for visitor data: we do not have what we do not collect. IP addresses are used only for country-level geolocation and are immediately discarded. No cookies are set, no fingerprints are generated.

Incident Response

In the event of a confirmed security incident affecting your data, we will notify affected users by email within 72 hours of discovery, in accordance with GDPR obligations where applicable.

Reporting a Vulnerability

If you discover a security vulnerability in Measure, please report it responsibly to security@measure.events. We will acknowledge your report within 48 hours and work to remediate confirmed issues promptly. We do not have a formal bug bounty program at this time, but we do appreciate responsible disclosure.

Contact

Security questions? Email security@measure.events.