← Trust & Safety

Security

Effective: May 28, 2026

WeRoll is built on modern cloud infrastructure with security best practices to protect user accounts, location visibility, and real-time communications.

Security Controls

  • Encryption in transit — All API traffic, push subscriptions, and websocket connections use HTTPS/TLS 1.2+.
  • Encryption at rest — Vendor profiles, location signals, and user records are stored encrypted in managed datastores.
  • Authenticated APIs — Authenticated endpoints require short-lived JWT access tokens issued by AWS Cognito.
  • Tokenized push subscriptions — Push endpoints (APNs, FCM, Web Push) are stored as opaque tokens, not user-identifying URLs.
  • Endpoint masking — Internal infrastructure is access-controlled; no public ingress to backend stores.
  • Least-privilege IAM — Each backend function has narrowly-scoped permissions to only the resources it needs.

Platform Protections

  • Rate limiting — Per-IP and per-account rate limits prevent abuse of broadcast, follow, and notification endpoints.
  • Session expiration — Broadcast sessions expire after 4 hours and after 15 minutes of GPS inactivity.
  • Automated inactivity shutdown — A vendor who stops moving is automatically taken offline so stale location data does not linger.
  • Audit logging — Privileged actions (admin grants, account deletions, vendor profile changes) are logged for review.
  • Abuse detection — Backend heuristics flag excessive follow behavior, rapid account creation, and impossible-travel GPS patterns for review.
  • Infrastructure monitoring — CloudWatch alarms and synthetic checks page the operations team when key paths fail.

Responsible Disclosure

If you believe you have discovered a security vulnerability in WeRoll, please report it to security@bustersense.com. We respond within 3 business days and credit good-faith researchers in our public acknowledgements.

We ask that you:

  • Avoid actions that degrade service for other users (DoS, mass data extraction).
  • Avoid accessing data that is not yours; use a test account.
  • Give us reasonable time to fix issues before public disclosure.

Incident Response

If a security incident affects user data or service availability, we will notify affected users via email and post a status update at /transparency. For active investigations, we may delay specific technical details until remediation is complete.

f6a79ae · 2026-05-29 14:29