Park Graph Security Posture

Security is a system, not a feature. Park Graph organises controls into five enforcement points so any single failure has a layer behind it. The diagram below shows what each layer enforces and why it exists; the rest of this page expands on each layer in turn.

The model is intentionally simple. Complex security architectures are easier to misconfigure, and a misconfiguration is the root cause of most public breaches. Five layers, each with a small surface area, mean every engineer on the team can name what each layer does without consulting a diagram.

All public traffic enters through Cloudflare. That gives us three things before a request reaches our origin: TLS 1.3 termination with modern cipher suites, automatic mitigation of volumetric DDoS, and a Web Application Firewall that scores and drops obvious abuse (SQL-injection probes, malformed headers, known-bad user agents). Rate limits are stricter for unsigned API requests and looser for authenticated operator dashboards.

Bot scoring at the edge is what keeps scrapers off Park Graph's public lot pages without blocking legitimate AI agents. Agents identified by a known signed user agent (ChatGPT, Gemini, Perplexity, Claude) get a higher rate limit; unsigned scrapers get a low one. The same edge layer enforces the country-blocklist for sanctioned jurisdictions.

The application layer is the Next.js 15 server. Authenticated requests use server actions with per-account API keys derived from the driver or operator session. CSRF protection is on by default for state-changing requests. Inputs are validated with Zod schemas at the boundary — anything that fails validation is rejected before it touches the database.

Admin and operator actions that change pricing, payouts, or permissions are signed with a per-action token that includes the actor identity, the target resource, and a short expiration. The signature is verified at the database layer (RLS policy) so a bug in the application code cannot let a forged action through.

Server-rendered React reduces the client-side attack surface: there is no large untrusted SPA bundle making cross-origin requests. The dashboard's progressive enhancement is built so that, if JavaScript fails entirely, the user can still log in and see their data — and an attacker who breaks JavaScript execution gains nothing.

Park Graph stores operational data in a Supabase-hosted Postgres database in us-east-1. Every multi-tenant table has row-level security policies that restrict reads and writes to the owning account. Service-role access (used by background jobs) is scoped to specific operations and audited separately from the user-facing application.

Backups run nightly with point-in-time recovery on the WAL. Backup snapshots are encrypted with AES-256 and replicated to a second AWS region so a regional event does not become a data loss event. Backup restore is tested at least quarterly; we measure restore time, not just backup success.

The data layer is also where the cardinal "no PAN" rule is enforced. There is no column anywhere in the schema that holds a raw card number. The only payment artefacts we store are the Stripe PaymentMethod token, the brand, the last four digits, and the expiry month + year — the minimum needed to render a receipt and to defend a chargeback. See payment security for the full payment-data flow.

Secrets — database credentials, Stripe keys, third-party API tokens, signing keys — live in a managed vault. They are injected at runtime, not baked into images. Each environment (development, staging, production) has its own copy. Rotations run on a schedule plus immediately on any suspected compromise.

Source code is scanned in CI for accidentally-committed secrets. A secret leak in source is treated as a security incident, with rotation triggered before the merge is even completed. The vault's own audit log is a separate stream from the application audit log so a compromise of one does not erase evidence of access to the other.

Every administrative action, every agent action, every payout, every refund, and every login event is appended to an immutable audit log. Entries include the actor identity, the target resource, the source IP, the user agent, the result, and a timestamp. The log is retained for seven years to support fraud and dispute defence.

Operators can request an export of audit events scoped to their own account at any time. AI agent actions are tagged with the agent identifier and the consent token so a driver can audit exactly which agent did what on their behalf. See AI-agent safety for the agent-side detail.

Trust pages exist to be honest. Today, Park Graph does not hold a current SOC 2 — Type II attestation, an ISO 27001 certificate, a HIPAA business-associate certification, or a stand-alone PCI-DSS Level 1 attestation as a merchant (Stripe holds Level 1 for the cardholder data path; our merchant scope is SAQ A). We will publish each of those when the corresponding work is complete. The audit window for SOC 2 opens Q3 2026; the attestation report will be linked from this page on the day it is final.

We also do not publish a fixed uptime percentage. The status page surfaces classification (operational / degraded / outage) plus the manual incident log instead of a fabricated SLA number. As the public history backfill is finished, the status page will surface a real measured uptime over rolling windows.

For vulnerability disclosure or general security questions: security@parkgraph.com. We acknowledge within one business day. For procurement questionnaires, your account contact will route you to the internal security documentation set under NDA. For driver-facing abuse such as a fake QR sticker, see QR code safety. For payment-specific questions, see payment security. For status and incident communication, see status.