Last updated · May 3, 2026
Security
The most sensitive thing we hold for you is your North API key. This page explains how we keep it safe, how we isolate merchant data, and how to report a vulnerability.
Credential encryption
North credentials (API key, checkout ID, profile ID) are encrypted with AES-256-GCM before they are written to the database. The encryption key lives only in the server environment and is never exposed to the browser. Decryption happens per-request on a server function and the plaintext never leaves memory.
Authentication
Sign-in is handled by Firebase Auth (email plus password). Passwords are salted and hashed by Firebase; we never see them. Sessions use short-lived ID tokens, refreshed on each load.
Data isolation
All merchant data is nested under merchants/{uid} in Firestore. Security rules deny all reads and writes unless the authenticated user matches the document path, which means a merchant cannot read another merchant's customers or transactions, even with a valid login.
Transport
All network traffic is served over TLS 1.2+. The custom payment page (/pay/[token]) loads North's embedded checkout iframe directly from checkout.north.com — payment card details are never seen or stored by our servers.
Backups and durability
Firestore is replicated across multiple zones automatically. We take point-in-time backups daily and retain them for 30 days. Logo files live in Vercel Blob with the same multi-region durability.
Reporting a vulnerability
If you find a security issue, please email security@vibeandpay.com with steps to reproduce. We acknowledge reports within 48 hours and do not pursue legal action against good-faith researchers who follow responsible disclosure.