Skip to content
FIXnotes
Notes for Sale|Learn Notes|Book a Call|Dashboard
Security

How We Protect Your Data

Last updated March 14, 2026

FIXnotes handles sensitive business information as part of our buyer qualification process. We take the security of that data seriously. This page describes the technical and operational measures we have in place today.

Encryption

Sensitive data fields — including tax identification numbers and beneficial owner addresses — are encrypted at rest using AES-256-GCM, an authenticated encryption standard used by financial institutions and government agencies worldwide. Each encrypted value is bound to its specific database record, preventing tampering or unauthorized reuse.

All data transmitted between your browser and our servers is encrypted in transit using TLS 1.3, the latest transport layer security protocol.

Document Storage

Documents uploaded during buyer qualification — such as government IDs, financial statements, and insurance certificates — are stored in private cloud storage that is not publicly accessible. Documents can only be retrieved through an authenticated proxy that verifies administrator identity before serving any file.

Uploaded files are validated by file type, MIME type, and file signature before acceptance. Original filenames are replaced with randomized identifiers to prevent information leakage through filename patterns.

Access Controls

FIXnotes enforces role-based access controls across the platform. Buyer qualification data is accessible only to authenticated administrators. All administrative actions — including document access, tier approvals, status changes, and membership updates — are recorded in an immutable audit log that captures the administrator, action, timestamp, and request context.

Authentication

User passwords are hashed using bcrypt with a computational cost factor that makes brute-force attacks impractical. Passwords are never stored in plaintext or logged. User sessions are managed with signed, time-limited tokens.

Payment Security

FIXnotes does not store, process, or have access to your credit card or bank account information. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor — the highest level of certification in the payment card industry.

Infrastructure

  • Application hosting: Vercel's edge network with automatic HTTPS, DDoS protection, and global CDN
  • Database: Neon PostgreSQL with enforced SSL connections and channel binding authentication
  • Rate limiting: Per-IP request throttling to protect against abuse
  • Security headers: Strict Transport Security (HSTS), Content Security Policy (CSP), X-Frame-Options, and Referrer-Policy headers on all responses

Responsible Disclosure

If you discover a security vulnerability on FIXnotes, we ask that you report it responsibly. Please email security@fixnotes.com with a description of the issue. We will acknowledge your report within 48 hours and work to address confirmed vulnerabilities promptly.

We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

Questions

If you have questions about our security practices or would like to discuss our data protection measures in more detail, book a call with our team or email us at security@fixnotes.com.