The full site runs behind HTTPS, a protocol for securing the communication between the user's browser and the web server.
We do not store user passwords in plain text. The passwords are hashed using one-way encryption and there is no way to retrieve passwords.
We do not store credit card numbers on our server. They are stored at secure vault servers on Stripe. We only have the last 4 digits of the card. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.
Even when this information is passed through our servers - this information is masked so that it is not logged on our servers.
Everything is behind a VPC (Virtual Private Cloud) on AWS (Amazon Web Services). Nobody has direct access to the servers.
Follow best Software Development Practices to avoid cross-site scripting, SQL injections etc
We manage employee permissions. Employees are granted access only to information that is necessary for accomplishing their jobs. All employees actions are logged and an audit trail is maintained.
All passwords are changed at a regular interval.