Security posture · public beta

Trust is a system.
Not a badge.

FareSift is designed to minimize sensitive data, keep card entry with Stripe, verify critical events, and make every assurance claim testable. Where independent validation is not complete, we say so.

Security by boundary

Less sensitive data. Fewer places to attack.

The strongest control is often choosing not to receive the data in the first place.

01

Card data stays with Stripe

If subscriptions are activated, hosted Checkout—not a FareSift form—collects payment details. The application is designed to store only limited Stripe identifiers and subscription state.

02

Identity is server-verified

Protected account and billing actions use the platform-authenticated identity; the browser never declares its own account authority.

03

Traveler data is minimized

The beta does not request passport images, known-traveler numbers, card numbers, or health information.

04

Secrets remain server-side

Provider keys, webhook secrets, and email credentials are runtime secrets—not browser variables or database content.

Payment architecture · disabled pending evidence

FareSift does not render a card field.

When activated, a plan selection creates a server-owned purchase intent, an allowlisted Price ID is sent to Stripe, and the traveler is redirected to Stripe-hosted Checkout. Access can activate only after a signed, replay-limited webhook is durably recorded. Until the operator evidence gates pass, the beta records a no-charge plan selection instead.

  • Server-owned prices and redirect destinations
  • Five-minute signature tolerance and duplicate-event ledger
  • No success-page-only entitlement
1FareSiftAuthenticated plan intent
2Stripe CheckoutCard entry and authentication
3Signed webhookVerified subscription state
Readiness register

What each standard means here.

Readiness means internal implementation work only. Examination, attestation, validation, and certification require the applicable qualified independent parties. The limited Spanish overview is published with external linguistic and legal review still pending.

OWASP ASVS 5.0.0Engineering baseline

Level 2 is the application-verification target, with selected higher-assurance controls for payments, administration, and future autonomous purchasing. This is not an OWASP certification, assessment result, or endorsement.

OWASP Top 10:2025Threat model mapped

Web and API controls are mapped to the current Top 10:2025 and API Security Top 10:2023 awareness models, then verified against the deeper ASVS requirements.

SOC 2No SOC 2 report

Controls and evidence are being mapped to the AICPA Trust Services Criteria. FareSift has not undergone a CPA SOC 2 examination and has no Type I or Type II report.

ISO/IEC 27001:2022Not certified

The security program is being organized around a risk-based information-security management system, including Amendment 1:2024. FareSift has not completed a certification audit.

PCI DSS v4.0.1Validation pending

Stripe-hosted Checkout is the subscription-payment design. It can reduce the card-data boundary, but FareSift still must confirm its merchant scope and validation obligations with its acquirer or qualified adviser.

HIPAAOutside current operating scope

FareSift does not solicit PHI and its current operations are not intended to make it a covered entity or business associate. Applicability depends on legal and operational facts; HIPAA is not a certification.

Application security

Same-origin write enforcement, bounded JSON bodies, durable rate limits, strict outbound allowlists, and signed-webhook verification are part of the current code baseline. This list is not an independent assessment or a production-readiness determination.

Authenticated correspondence

FareSift correspondence identifies FareSift and Michai Media. Delivery remains disabled until the exact sending domain passes SPF, DKIM, and DMARC alignment, Reply-To reaches a monitored inbox, and the results are recorded.

Coordinated disclosure

Security reports can be submitted through the support channel published in our security.txt file. Do not include secrets, card data, or passport information.

Assurance boundary

No invented compliance. No vague “bank-grade” claims.

FareSift has no SOC 2 report, is not ISO/IEC 27001 certified, does not claim an OWASP assessment or automatic PCI compliance, and does not treat HIPAA as a certification. Independent testing, audit evidence, merchant validation, legal review, and factual applicability remain explicit gates.

Contact the trust team