Security
Security overview.
This page describes the security controls currently in place at DNA WEB. It is maintained by ELP Ventures IV LLC and reflects the platform's configuration today. It is not an attestation or independent audit report.
Authentication & sessions
- Sign-in via Google and Apple (no DNA WEB-held passwords).
- Leaked-password protection (HIBP) enabled for password-based flows.
- Anonymous sign-ups are disabled.
- Sign-out clears client cache and replaces history to protect shared devices.
Data protection
- HTTPS/TLS for all traffic to dnaweb.ai.
- Provider-managed encryption at rest for the application database.
- Row-Level Security on customer-data tables; access scoped to the authenticated user.
- Service-role access restricted to server-side code paths.
Application security
- Input validation on server functions (Zod-style schemas).
- Webhook signature verification for payment events.
- Pinned search_path on security-definer database functions.
- Regular dependency scanning and review.
Payments
- Card data is handled exclusively by Stripe (PCI-DSS Level 1).
- DNA WEB does not store full card numbers, CVCs or bank credentials.
- Subscription state is synced via signature-verified Stripe webhooks.
Responsible disclosure
Found a vulnerability? Tell us.
We welcome reports from security researchers. Please email info@dnaweb.ai with steps to reproduce. Do not access data that is not yours, perform DoS testing, or publicly disclose before we have had a reasonable chance to respond.
No system is perfectly secure. We continue to invest in monitoring, dependency review and process maturity. See Trust Center for subprocessors and Status for availability.