SECURITY & TRUST

Built to protect every
artist, fan, and dollar.

StardomFans.com handles real money for independent artists. Here's exactly how we keep your accounts, payouts, and personal data safe — in plain English.

Account Protection

  • Industry-standard bcrypt hashing — your password is never stored or logged in plain text. Even our engineers can't read it.
  • Brute-force lockout — 5 wrong attempts in 15 minutes from the same IP triggers an automatic time-out. Bots can't guess their way in.
  • Strong password policy — minimum 8 characters with letters and numbers.
  • Optional 2-factor authentication by email OTP — enable it from your Dashboard → Security.
  • Auto-rotating session tokens — silent rotation every 24 hours so a stolen cookie can't live forever.
  • Global session revocation — change your password and every device is signed out instantly.

Payment Safety (Stripe Connect)

We don't touch raw card numbers. Every payment runs through Stripe — a PCI-DSS Level 1 certified processor trusted by millions of businesses.

  • Cryptographically signed webhooks — every payment event is verified with Stripe's signature so attackers can't fake “payment succeeded” calls.
  • Restricted API keys — our backend uses scoped Stripe keys with the minimum permissions needed.
  • 90% / 10% revenue split, automated — artists are paid directly through Stripe Connect. No manual transfers, no held funds.
  • ACH & crypto fallbacks — payment failures gracefully degrade so fans never get stuck at checkout.

API & Infrastructure

  • HTTPS-only — all traffic to stardomfans.com is TLS-encrypted end-to-end.
  • Hardened HTTP headersX-Frame-Options: DENY, X-Content-Type-Options: nosniff, strict referrer policy. Blocks clickjacking and MIME-sniffing attacks.
  • CORS lockdown — only requests from our official domain are accepted.
  • Secrets in environment variables — no API keys, passwords, or tokens are ever committed to source code.
  • Time-to-live (TTL) database indexes — failed login records auto-purge so sensitive metadata doesn't pile up.

Privacy & Data Handling

  • Minimal data collection — we ask for what we need to operate the platform, nothing more.
  • No selling, ever — your data is never sold to third parties or ad networks.
  • Email enumeration protection — our “forgot password” flow returns the same response for valid and invalid emails so attackers can't fish for accounts.
  • Right to delete — request full account deletion at any time. See our Privacy Policy.

Trust & Safety for Creators

  • Verified artist badges — we manually verify high-profile artist accounts to prevent impersonation.
  • Corporate tier vetting — businesses that open branded stores go through a verification queue before listing.
  • Community reporting — every post, product, and event has a one-tap report button. Reports are reviewed by our moderation queue.
  • Full audit log — every admin action and sensitive operation is recorded for accountability.

Reliability

  • Managed cloud infrastructure with automatic scaling.
  • Database backups via our managed MongoDB provider.
  • Status & uptime monitoring — issues are detected and triaged before they affect users.

Automated 24-Hour AI Health Check

Every 24 hours, an in-house AI co-pilot runs a full platform integrity sweep — no humans needed. Each report is sealed in our admin audit trail and reviewed daily.

  • Account integrity — scans for orphan records, missing emails, broken artist/user linkage, malformed documents.
  • Auth anomalies — surfaces unusual spikes in failed logins, locked-out IPs, and session activity vs. baseline.
  • Payment trail audit — reconciles Stripe webhook events with transaction records to detect any drift.
  • Content moderation queue — counts pending reports and flags backlogs.
  • Plain-English AI summary — a human-readable verdict (“healthy” / “attention needed”) plus prioritised remediation steps, ready for the admin team every morning.
  • Tamper-evident reports — every report is timestamped and immutable in our system_health_reports ledger.

Responsible Disclosure

Found a vulnerability? We want to know. Get in touch through our Partnerships & Security Contact form with a clear write-up and reproduction steps. We commit to:

  • Acknowledging your report within 48 hours.
  • Keeping you updated as we triage and remediate.
  • Publicly crediting researchers who act in good faith (if you want).
  • Not pursuing legal action against good-faith security research on our staging or scoped surfaces.

Compliance Posture

We're continuously improving our security and privacy posture. Current state:

  • PCI-DSS — out-of-scope by design (we never receive card numbers; Stripe handles all card data).
  • GDPR / CCPA — we honor data-access and right-to-delete requests for all users.
  • DMCA — designated agent and takedown process described in our Copyright Policy.

Building something with us?

Corporate partners, label execs, and enterprise customers — request our full security questionnaire, Stripe Connect deep-dive, or a custom security review.

Last reviewed: February 2026 · This page is a living document and is updated as our posture evolves.