Skip to content
Legal

Security

Last updated June 2026

Our security practices

Classmade takes the security of seller and buyer data seriously. All data is transmitted over HTTPS. Passwords are hashed and never stored in plain text. Downloadable files are stored in private object storage and served through short-lived, signed URLs — buyers cannot share or hotlink your files.

Payments are processed entirely by Stripe — Classmade never receives or stores full card numbers or bank details.

Authentication

Seller accounts are secured with email and password; passwords are hashed and never stored in plain text. Buyers can sign in passwordless with a one-time magic link. We recommend a strong, unique password. If you believe your account has been compromised, change your password immediately and contact support@classmade.co.

Data isolation

Classmade is multi-tenant: every store, and all of the data that belongs to it, is keyed to a unique identifier and isolated at the database level using PostgreSQL Row-Level Security. Sellers can only access their own store’s data, and buyers can only access their own orders. This separation is enforced by the database itself, not just by application code.

Payments

All payments and payouts are processed by Stripe. Card and bank details are entered directly into Stripe’s hosted checkout and never pass through or get stored on Classmade’s servers, keeping that data within Stripe’s PCI-DSS–certified environment.

Infrastructure & subprocessors

Classmade is built on Supabase (database and authentication), Vercel (hosting and edge delivery), Stripe (payments and payouts), and Resend (email). Each of these providers maintains its own security program and independent compliance certifications, such as SOC 2. You can view their current status and security documentation on their respective websites.

Responsible disclosure

If you discover a security vulnerability in Classmade, please report it responsibly before disclosing it publicly. We ask that you:

1. Email a description of the issue to security@classmade.co. Include steps to reproduce, the potential impact, and any proof-of-concept if applicable.

2. Give us reasonable time to investigate and address the issue before any public disclosure — typically 30 days.

3. Do not access, modify, or delete data that does not belong to you as part of your research.

We will acknowledge your report within 48 hours and keep you updated throughout the process. We appreciate the security research community's efforts to keep Classmade safe.

Contact

Security reports: security@classmade.co

General support: support@classmade.co