How we protect the people, businesses, and data on our platform.
The short version. My Treat is built and run by a cybersecurity professional. Security is a design constraint from the first commit -- not a feature added later. Data is encrypted in transit and at rest. We run no tracking pixels on sign-in or billing surfaces, and we do not sell your data. This page marks each control In place if it is live today and Planned if it ships before public launch. We would rather be honest about our maturity stage than overstate our posture.
| Control | Status |
|---|---|
| Encryption at rest - AES-256 on all primary data stores via Google Cloud defaults (Firestore, Cloud Storage) | In place |
| Encryption in transit - TLS on all customer-facing endpoints via Firebase Hosting managed certificates; HSTS with preload enforced | In place |
| Security response headers - Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy served on all public pages | In place |
Responsible disclosure policy - security.txt per RFC 9116 with contact, expiry, and policy link | In place |
| Privacy and data subject rights - Published Privacy Policy, Terms, and Community Guidelines; export and deletion available via direct contact | In place |
| Secrets handling - No credentials in source control; production secrets stored in Google Cloud Secret Manager outside the codebase | In place |
| Hardware security keys - YubiKey anchoring the identity-provider and credential-vault accounts for all Managing Member access | In place |
| Sponsor account MFA (TOTP) - Opt-in TOTP second factor available to all sponsor portal accounts on billing-touching flows | In place |
| DMARC p=reject - DNSSEC is signed, CAA is published, and DMARC is enforced at p=reject (hardened 2026-06-24 after aggregate-report review); unauthorized senders are rejected by receiving mail servers | In place |
| Vendor minimization - Deliberately small set of third-party services; no tracking pixels on authentication or billing surfaces | In place |
Each item below will move to In place as it is deployed and verified.
| Control | Status |
|---|---|
| Operations console behind Cloud Identity-Aware Proxy - staff-only allowlist enforced at the network edge before requests reach application code | Planned |
| Cloud Armor web application firewall - OWASP rule coverage and rate limiting on public endpoints | Planned |
| Immutable audit log - privileged operations console actions mirrored to long-term retention storage | Planned |
| Strict Content Security Policy - upgrade path from the current policy (which uses unsafe-inline for static page styles) to nonce-based CSP on the sponsor portal and operations console | Planned |
| Least-privilege service accounts - separated read and write identities for analytics versus operational data | Planned |
We welcome reports from independent security researchers. Our security.txt file follows RFC 9116.
Report a vulnerability: security@mytreat.club
We acknowledge within 5 business days and triage within 10. We target remediation of critical issues within 90 days and high issues within 120 days. Medium and low severity issues are addressed on a best-effort basis. We do not pursue legal action against researchers acting in good faith.
The following claims on this page can be verified by anyone without taking our word for it. If any tool reports a materially lower result than this page implies, that is a bug -- tell us at security@mytreat.club.
We publicly thank researchers who responsibly disclose vulnerabilities. With your permission, we will list your name or handle here after your report has been validated and remediated.
No external researcher acknowledgments yet.