Security
How Split Infinity approaches security to protect your data and payments.
Authentication
Split Infinity does not store passwords. All authentication is delegated to trusted external identity providers — Google, Microsoft, and GitHub. When you sign in, you authenticate directly with your chosen provider using their secure OAuth 2.0 flow. Split Infinity receives only a verified identity claim (your email and a provider-specific ID) and never has access to your provider credentials.
Your Split Infinity account stores only your display name, email address, provider identifier, and Stripe account reference. No passwords, security questions, or authentication secrets are held by the platform.
Payment Security
All payment processing is handled exclusively by Stripe, which is certified to PCI DSS Level 1 — the highest level of payment card industry compliance. Split Infinity never receives, processes, or stores card numbers, bank account details, CVV codes, or any other sensitive financial data. When a payer submits payment, their card details are entered directly on Stripe's hosted Checkout page and transmitted securely to Stripe's servers without passing through Split Infinity systems.
Split Infinity stores only Stripe reference identifiers (payment intent IDs, account IDs, transfer IDs) to link internal records to Stripe events. These identifiers carry no sensitive information on their own. Stripe's own security infrastructure — including encryption at rest, fraud detection, and network monitoring — protects the underlying financial data.
Data Storage
Application data (teams, members, payment records, audit logs) is stored in Azure Cosmos DB, a managed NoSQL database service operated by Microsoft in a dedicated Azure environment. Data is encrypted at rest using Microsoft-managed keys and is accessible only to the application via managed identity — no static connection strings with passwords are used in production.
Secrets such as API keys and configuration values are stored in Azure Key Vault and fetched at application startup. They are never written to source code, configuration files, or application logs. All infrastructure access follows the principle of least privilege.
Transport Security
All communication between your browser and Split Infinity is encrypted using TLS (HTTPS). HTTP requests are automatically redirected to HTTPS, and HTTP Strict Transport Security (HSTS) headers instruct browsers to always use secure connections for the domain. The application is hosted on Azure Container Apps, which enforces TLS termination at the ingress layer.
Stripe webhook events delivered to Split Infinity are validated using Stripe's webhook signature verification before being processed, preventing replay attacks or spoofed events.
Audit Logging
All sensitive actions are recorded in an append-only audit log, including: user sign-ins and authentication events, team creation and archival, membership changes (invitations, acceptances, removals, ownership transfers), share percentage updates, payment processing events, and platform configuration changes.
Each audit entry records the action type, the affected entity, the user who performed the action, and a timestamp. Audit logs are accessible to platform administrators and are retained to support incident investigation and regulatory compliance.
Responsible Disclosure
If you discover a security vulnerability in Split Infinity, please report it responsibly. Do not exploit the vulnerability or disclose it publicly before giving us the opportunity to address it. We aim to acknowledge security reports promptly and provide a fix or mitigation as quickly as possible.
To report a security issue, please contact the platform administrator directly. Include a clear description of the vulnerability, steps to reproduce it, and the potential impact. We appreciate responsible security research and will acknowledge your contribution once the issue is resolved.