Security

NicheMatcher is built with security as a first-class concern — not an afterthought. Here's how we keep your data safe.

Authentication & SSO

Powered by Clerk — industry-leading auth with support for email/password, OAuth (Google, GitHub), and MFA. Sessions are scoped and can be revoked instantly from the admin panel.

Role-Based Access Control

Two-tier RBAC via Clerk Organizations: org:admin has full access; org:member is restricted to their own data. Admin actions are gated at both the API and UI level.

Audit Logging

Every significant action is logged with timestamp, actor, and context. Admins can view and search the full audit log from the Security dashboard.

Data Isolation

All data is scoped by organisation ID or user ID at the database query level. There is no shared data surface between organisations.

API Security

All API endpoints require a valid Clerk JWT, verified on every request via the JWKS endpoint. There is no persistent API key that can be leaked — tokens expire automatically.

Infrastructure

Hosted on Vercel (edge-deployed, TLS-only, Fluid Compute). Database on Neon (SOC 2 Type II, encryption at rest and in transit). No public database ports.

Found a vulnerability?

We take security reports seriously and respond promptly. Please disclose responsibly to security@nichematcher.com. We will acknowledge your report within 48 hours.

Please do not publicly disclose vulnerabilities until we have had a chance to address them.