---
title: "Security"
description: "Security practices and trust information for web2app.tools."
canonical: "https://web2app.tools/security"
dateModified: "2026-06-13"
audience: "Security and procurement reviewers"
productFit: "both"
---
# Security

## Infrastructure
Production traffic is served over HTTPS with HSTS on public marketing and app routes.
Application secrets are stored in environment configuration, not in client bundles.

## Data protection
Encryption in transit for public and authenticated routes. Workspace-scoped access controls on dashboard and server actions.
Payment data is handled by Stripe and Paddle; card numbers are not stored on our servers.

## Operational security
Webhook idempotency for payment providers. Uploads stored on configured persistent volumes per deployment.
- Session cookies for dashboard auth
- Per-workspace Stripe/Paddle keys
- Webhook event deduplication