Security at Xpolink

Xpolink processes billions of click events and millions of short-link redirects. Security isn't a bolt-on — it's built into every layer of the product.

Encryption in transit & at rest

All traffic to xpolink.app and your custom domains is served over TLS 1.2+. Data at rest is encrypted by our infrastructure providers (Neon, Vercel, Stripe, Clerk).

Authentication

Authentication is handled by Clerk with support for email/password, magic links, and OAuth. API access uses scoped API keys bound to your team; keys are hashed before storage.

Platform hardening

We enforce HTTP security headers (HSTS, X-Content-Type-Options, X-Frame-Options, strict Referrer-Policy, tight Permissions-Policy) and a 2-year HSTS preload window.

Safe redirects

Destination URLs are validated at creation and update. Non-http(s) schemes (javascript:, data:, vbscript:) are rejected. All CSV exports pass through a formula-injection filter.

Data handling

  • Short-link destination URLs and click analytics are stored in a private Postgres database (Neon) in our production region.
  • We collect the minimum data needed to deliver link analytics — country, device class, referring domain, and (for Pro+ plans) city and browser. We never sell or share this data with third parties.
  • Passwords, API keys, and captured emails are stored using industry-standard hashing (bcrypt) or tokenisation where reversibility would break the feature.

Sub-processors

A full list of our sub-processors — and the DPA status with each — is published on our Data Processing Addendum page.

Responsible disclosure

If you believe you've found a security issue in Xpolink, please report it to us privately before public disclosure. We'll respond within 3 business days, keep you informed of the fix timeline, and credit you in our release notes if you'd like.

What's in scope

  • xpolink.app and all sub-domains we operate
  • Short-link redirect hosts (xpol.link, xpol.app)
  • The public REST API and the CLI (@xpolink/cli)
  • Official integrations listed under /docs/integrations

Out of scope

  • Third-party services we integrate with (Clerk, Stripe, Neon, Vercel) — please report those issues directly to those vendors
  • Reports that rely on brute-force, denial-of-service, or social-engineering staff or customers
  • Vulnerabilities in user-supplied destination URLs

Last updated: 2026-04-17.