Security at My Treat

How we protect the people, businesses, and data on our platform.

The short version. My Treat is built and run by a cybersecurity professional. Security is a design constraint from the first commit -- not a feature added later. Data is encrypted in transit and at rest. We run no tracking pixels on sign-in or billing surfaces, and we do not sell your data. This page marks each control In place if it is live today and Planned if it ships before public launch. We would rather be honest about our maturity stage than overstate our posture.

Controls in place today

ControlStatus
Encryption at rest - AES-256 on all primary data stores via Google Cloud defaults (Firestore, Cloud Storage)In place
Encryption in transit - TLS on all customer-facing endpoints via Firebase Hosting managed certificates; HSTS with preload enforcedIn place
Security response headers - Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy served on all public pagesIn place
Responsible disclosure policy - security.txt per RFC 9116 with contact, expiry, and policy linkIn place
Privacy and data subject rights - Published Privacy Policy, Terms, and Community Guidelines; export and deletion available via direct contactIn place
Secrets handling - No credentials in source control; production secrets stored in Google Cloud Secret Manager outside the codebaseIn place
Hardware security keys - YubiKey anchoring the identity-provider and credential-vault accounts for all Managing Member accessIn place
Sponsor account MFA (TOTP) - Opt-in TOTP second factor available to all sponsor portal accounts on billing-touching flowsIn place
DMARC p=reject - DNSSEC is signed, CAA is published, and DMARC is enforced at p=reject (hardened 2026-06-24 after aggregate-report review); unauthorized senders are rejected by receiving mail serversIn place
Vendor minimization - Deliberately small set of third-party services; no tracking pixels on authentication or billing surfacesIn place

Controls shipping before public launch

Each item below will move to In place as it is deployed and verified.

ControlStatus
Operations console behind Cloud Identity-Aware Proxy - staff-only allowlist enforced at the network edge before requests reach application codePlanned
Cloud Armor web application firewall - OWASP rule coverage and rate limiting on public endpointsPlanned
Immutable audit log - privileged operations console actions mirrored to long-term retention storagePlanned
Strict Content Security Policy - upgrade path from the current policy (which uses unsafe-inline for static page styles) to nonce-based CSP on the sponsor portal and operations consolePlanned
Least-privilege service accounts - separated read and write identities for analytics versus operational dataPlanned

Vulnerability disclosure

We welcome reports from independent security researchers. Our security.txt file follows RFC 9116.

Report a vulnerability: security@mytreat.club
We acknowledge within 5 business days and triage within 10. We target remediation of critical issues within 90 days and high issues within 120 days. Medium and low severity issues are addressed on a best-effort basis. We do not pursue legal action against researchers acting in good faith.

Frameworks we follow

Independently verifiable claims

The following claims on this page can be verified by anyone without taking our word for it. If any tool reports a materially lower result than this page implies, that is a bug -- tell us at security@mytreat.club.

Researcher acknowledgments

We publicly thank researchers who responsibly disclose vulnerabilities. With your permission, we will list your name or handle here after your report has been validated and remediated.

No external researcher acknowledgments yet.

Contact