Security
MillionaireCap AI is built with defense-in-depth: transport security, strict browser policies, database row-level security, and payment flows that keep card data off our infrastructure.
Web & account security
Row-level security (Supabase)
Database access is scoped per user. Admins use role checks; users only read and write their own data.
Bearer token auth
Server functions require a valid Supabase session token. Tokens are sent over HTTPS only.
Content Security Policy
CSP restricts scripts, frames, and connections to trusted origins (our app, Supabase, Stripe, Google sign-in).
Clickjacking protection
X-Frame-Options and frame-ancestors prevent embedding our app in malicious iframes.
Strong passwords
Sign-up requires 8+ characters with upper, lower, number, and symbol.
Safe redirects
After login, redirects stay on our domain — external URLs are blocked to prevent phishing.
Payment security
No card data on our servers
Card numbers, CVV, and PINs are entered only on Stripe’s hosted checkout — never on MillionaireCap pages.
TLS encryption
All payment pages use HTTPS. We enforce HSTS in production so browsers always use a secure connection.
PCI DSS via Stripe
Stripe is PCI DSS Level 1 certified. We use Stripe Checkout / Payment Element so we stay out of cardholder data scope (SAQ A).
Tokenized subscriptions
Subscriptions and one-time charges use Stripe customer IDs and payment intents — not stored card numbers.
3D Secure when required
Stripe automatically applies Strong Customer Authentication (SCA) where regulations require it.
Mobile money & bank transfers
Regional methods (Tigo, Airtel, Vodacom, bank transfer) are processed through licensed partners; we never ask for mobile PINs on this site.
Report a vulnerability
If you believe you have found a security issue, contact us at security@millionairecap.com. Please do not disclose publicly until we have had a reasonable time to respond.