drupefruit ← drupefruit.com

Security

Effective date: April 26, 2026

Drupefruit™ LLC takes the security of its software products and the data entrusted to them seriously. This page describes our approach in plain terms and how to reach our security team.

Reporting a vulnerability

If you believe you have found a security vulnerability in any Drupefruit product or domain, please contact us at security@drupefruit.com.

We ask that you:

Provide enough detail to reproduce the issue (URL, steps, request/response if relevant).
Give us a reasonable window to investigate and remediate before public disclosure.
Avoid testing that would degrade service for other users, exfiltrate data beyond proof-of-concept, or violate the privacy of customers.

We will acknowledge receipt within five (5) business days and keep you updated on remediation. We do not currently operate a paid bug bounty, but we deeply appreciate responsible disclosure and will credit reporters who request it.

Security contact: security@drupefruit.com

PGP: available on request.

Our approach

Encryption in transit and at rest

All connections to Drupefruit products are protected by TLS 1.2 or higher. Customer data stored in our application database and file storage is encrypted at rest by our infrastructure providers using industry-standard algorithms.

Authentication

Account access is protected by email verification and one-time-passcode flows. Sensitive product features additionally require server-side validation of authorization on every request.

Card payment data

Card payments are processed exclusively through PCI-compliant third-party providers. Cardholder data is collected directly by the payment processor's hosted UI surfaces and never touches Drupefruit servers, qualifying our handling under PCI DSS SAQ A. Drupefruit does not store, transmit, or have access to card numbers, CVCs, or full track data.

Tenant isolation

Customer data is logically isolated using row-level security policies in our application database. Service-role access is restricted to background workers and audited.

Webhook integrity

Inbound webhooks (payment events, telephony events, mailbox events) are validated against the issuing provider's signature before any database write. Idempotency keys protect against duplicate processing on provider retries.

Subprocessors

We rely on a small set of vetted infrastructure providers, each contractually bound to confidentiality and security obligations. A list of categories of subprocessors is available on request to privacy@drupefruit.com.

Logging and PII handling

Application logs are scrubbed of personally identifiable information before storage. Customer email addresses, phone numbers, and identifiers are reduced to non-reversible references in operational telemetry.

Backups

The application database is backed up by our infrastructure provider on a continuous basis with point-in-time recovery available.

What we do not do

We do not sell, rent, or trade customer data, phone numbers, or email addresses.
We do not use customer message content to train general-purpose AI models.
We do not store payment card numbers; payments are tokenized through our payment processor.
We do not deploy tracking or advertising pixels on customer-facing pages.

Compliance

Drupefruit operates under California law and complies with applicable consumer privacy and SMS regulations including the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Telephone Consumer Protection Act (TCPA), and the CTIA Messaging Principles and Best Practices. We do not currently hold formal SOC 2 or ISO 27001 attestations; customers requiring formal attestations should contact security@drupefruit.com to discuss timelines.

Security headers and inventory

A machine-readable security contact for automated tooling is published at /.well-known/security.txt following RFC 9116.

Contact

Drupefruit LLC
2108 N St, Ste N
Sacramento, CA 95816
United States
Security: security@drupefruit.com
Privacy: privacy@drupefruit.com