Built to protect every
artist, fan, and dollar.
StardomFans.com handles real money for independent artists. Here's exactly how we keep your accounts, payouts, and personal data safe — in plain English.
Account Protection
- Industry-standard bcrypt hashing — your password is never stored or logged in plain text. Even our engineers can't read it.
- Brute-force lockout — 5 wrong attempts in 15 minutes from the same IP triggers an automatic time-out. Bots can't guess their way in.
- Strong password policy — minimum 8 characters with letters and numbers.
- Optional 2-factor authentication by email OTP — enable it from your Dashboard → Security.
- Auto-rotating session tokens — silent rotation every 24 hours so a stolen cookie can't live forever.
- Global session revocation — change your password and every device is signed out instantly.
Payment Safety (Stripe Connect)
We don't touch raw card numbers. Every payment runs through Stripe — a PCI-DSS Level 1 certified processor trusted by millions of businesses.
- Cryptographically signed webhooks — every payment event is verified with Stripe's signature so attackers can't fake “payment succeeded” calls.
- Restricted API keys — our backend uses scoped Stripe keys with the minimum permissions needed.
- 90% / 10% revenue split, automated — artists are paid directly through Stripe Connect. No manual transfers, no held funds.
- ACH & crypto fallbacks — payment failures gracefully degrade so fans never get stuck at checkout.
API & Infrastructure
- HTTPS-only — all traffic to
stardomfans.comis TLS-encrypted end-to-end. - Hardened HTTP headers —
X-Frame-Options: DENY,X-Content-Type-Options: nosniff, strict referrer policy. Blocks clickjacking and MIME-sniffing attacks. - CORS lockdown — only requests from our official domain are accepted.
- Secrets in environment variables — no API keys, passwords, or tokens are ever committed to source code.
- Time-to-live (TTL) database indexes — failed login records auto-purge so sensitive metadata doesn't pile up.
Privacy & Data Handling
- Minimal data collection — we ask for what we need to operate the platform, nothing more.
- No selling, ever — your data is never sold to third parties or ad networks.
- Email enumeration protection — our “forgot password” flow returns the same response for valid and invalid emails so attackers can't fish for accounts.
- Right to delete — request full account deletion at any time. See our Privacy Policy.
Trust & Safety for Creators
- Verified artist badges — we manually verify high-profile artist accounts to prevent impersonation.
- Corporate tier vetting — businesses that open branded stores go through a verification queue before listing.
- Community reporting — every post, product, and event has a one-tap report button. Reports are reviewed by our moderation queue.
- Full audit log — every admin action and sensitive operation is recorded for accountability.
Reliability
- Managed cloud infrastructure with automatic scaling.
- Database backups via our managed MongoDB provider.
- Status & uptime monitoring — issues are detected and triaged before they affect users.
Automated 24-Hour AI Health Check
Every 24 hours, an in-house AI co-pilot runs a full platform integrity sweep — no humans needed. Each report is sealed in our admin audit trail and reviewed daily.
- Account integrity — scans for orphan records, missing emails, broken artist/user linkage, malformed documents.
- Auth anomalies — surfaces unusual spikes in failed logins, locked-out IPs, and session activity vs. baseline.
- Payment trail audit — reconciles Stripe webhook events with transaction records to detect any drift.
- Content moderation queue — counts pending reports and flags backlogs.
- Plain-English AI summary — a human-readable verdict (“healthy” / “attention needed”) plus prioritised remediation steps, ready for the admin team every morning.
- Tamper-evident reports — every report is timestamped and immutable in our
system_health_reportsledger.
Responsible Disclosure
Found a vulnerability? We want to know. Get in touch through our Partnerships & Security Contact form with a clear write-up and reproduction steps. We commit to:
- Acknowledging your report within 48 hours.
- Keeping you updated as we triage and remediate.
- Publicly crediting researchers who act in good faith (if you want).
- Not pursuing legal action against good-faith security research on our staging or scoped surfaces.
Compliance Posture
We're continuously improving our security and privacy posture. Current state:
- PCI-DSS — out-of-scope by design (we never receive card numbers; Stripe handles all card data).
- GDPR / CCPA — we honor data-access and right-to-delete requests for all users.
- DMCA — designated agent and takedown process described in our Copyright Policy.
Building something with us?
Corporate partners, label execs, and enterprise customers — request our full security questionnaire, Stripe Connect deep-dive, or a custom security review.
Last reviewed: February 2026 · This page is a living document and is updated as our posture evolves.
