Security
NicheMatcher is built with security as a first-class concern — not an afterthought. Here's how we keep your data safe.
Authentication & SSO
Powered by Clerk — industry-leading auth with support for email/password, OAuth (Google, GitHub), and MFA. Sessions are scoped and can be revoked instantly from the admin panel.
Role-Based Access Control
Two-tier RBAC via Clerk Organizations: org:admin has full access; org:member is restricted to their own data. Admin actions are gated at both the API and UI level.
Audit Logging
Every significant action is logged with timestamp, actor, and context. Admins can view and search the full audit log from the Security dashboard.
Data Isolation
All data is scoped by organisation ID or user ID at the database query level. There is no shared data surface between organisations.
API Security
All API endpoints require a valid Clerk JWT, verified on every request via the JWKS endpoint. There is no persistent API key that can be leaked — tokens expire automatically.
Infrastructure
Hosted on Vercel (edge-deployed, TLS-only, Fluid Compute). Database on Neon (SOC 2 Type II, encryption at rest and in transit). No public database ports.
Found a vulnerability?
We take security reports seriously and respond promptly. Please disclose responsibly to security@nichematcher.com. We will acknowledge your report within 48 hours.
Please do not publicly disclose vulnerabilities until we have had a chance to address them.