Security at Aflink

The Aflink service (aflink.io and app.aflink.io) is owned and operated by Fungies Europe Prosta Spółka Akcyjna (P.S.A.) — a simple joint-stock company incorporated under Polish law and registered with the National Court Register (KRS).

• Legal name: Fungies Europe Prosta Spółka Akcyjna (P.S.A.)
• Registered seat: Al. Jerozolimskie 109 / 70, 02-011 Warsaw, Poland
• KRS (Polish National Court Register): 0001137340
• NIP (VAT ID): PL5214093272
• REGON: 540135615
• Share capital: 10,000 PLN
• Public registry record: https://rejestr.io/krs/1137340/fungies-europe
• Contact email: contact@fungies.io

Throughout this document, "Aflink", "we", "us", and "our" refer to Fungies Europe P.S.A. unless explicitly stated otherwise.

We design Aflink around three principles: minimise attack surface, default to least privilege, and assume breach. Every new feature ships with a threat model, every customer data path is encrypted, and every access path is audited.

We follow the OWASP Top 10, OWASP API Security Top 10, and the security controls required by GDPR Article 32. Our roadmap targets SOC 2 Type II in 2026 and ISO 27001 thereafter; details on request via support@fungies.io.

• Customer data lives on Supabase EU (eu-central-1, Frankfurt), behind managed Postgres with continuous WAL backups.
• Application code is served by Vercel using EU edge regions; rendering happens close to your users with no customer data persisted at the edge.
• Cloudflare sits in front of every public endpoint, providing DDoS protection, a managed Web Application Firewall, bot mitigation, and global TLS termination.
• Internal services run in private VPCs with no inbound traffic except via Cloudflare tunnels.

• Postgres Row Level Security (RLS) is enabled on every customer-facing table — each query is filtered by the authenticated user's identity.
• Role-based access control with the least-privilege principle: end users, brand admins, affiliates, and our internal staff each see only what they need.
• Multi-factor authentication is required for every Aflink employee account and is offered to every customer.
• Just-in-time production access for engineers, with full session recording and a peer approval workflow.
• Quarterly access reviews; offboarding revokes credentials within 1 hour of departure.

• Cloudflare WAF rules tuned for OWASP Top 10 and rate limits per IP, per route, and per account.
• Strict Content Security Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Permissions-Policy and Referrer-Policy headers on every response.
• All inputs are validated with Zod schemas before they reach the database.
• CSRF protection on every state-changing request; webhooks verified with HMAC-SHA256 and a timing-safe comparison.
• Dependency scanning on every pull request; high-severity CVEs are patched within 7 days.

• Continuous WAL replication with point-in-time recovery up to 7 days for all customer data.
• Daily encrypted snapshots retained for 30 days; weekly snapshots retained for 90 days.
• Recovery Point Objective (RPO): ≤ 5 minutes. Recovery Time Objective (RTO): ≤ 4 hours.
• Disaster-recovery runbooks executed end-to-end at least once per quarter.

• Structured application logs are centralised, immutable for 90 days, and tied to a request-ID end to end.
• Authentication events, payout events, and admin actions are written to a dedicated audit table with append-only RLS.
• Alerting on anomalous logins, abnormal API rate, and failed-payout spikes — paged 24/7 to on-call.
• Privacy-preserving error tracking: stack traces only, no user payloads, automatic PII scrubbing.

• Static analysis (SAST) and secret scanning on every pull request.
• Software Bill of Materials (SBOM) generated on every deploy; dependency drift monitored daily.
• Annual third-party penetration test; results summary available to enterprise customers under NDA.
• We welcome security research — contact support@fungies.io with a proof-of-concept; we acknowledge within 48 hours and credit reporters in our hall of fame (with consent).

1. Detect — alerts trigger automated paging; on-call engineer acknowledges within 15 minutes.
2. Triage — incident commander assigned; severity classified (SEV-1 to SEV-3).
3. Contain — isolate the blast radius, revoke compromised credentials, deploy mitigations.
4. Eradicate & recover — patch the root cause, restore service, validate integrity.
5. Notify — personal-data breaches are notified to the relevant supervisory authority within 72 hours and to affected customers without undue delay (GDPR Art. 33–34).
6. Learn — blameless post-mortem within 5 business days; action items tracked publicly to customers.

We publish the full sub-processor list on the Privacy Policy page. Customers on annual plans are notified by email at least 30 days before any new sub-processor is engaged and may object in writing.

• Email: support@fungies.io
• PGP key: available on request
• We do not pursue legal action against researchers who follow good-faith disclosure.