Security
MarkApprove is built for client approval workflows that may include private deliverables, client comments, approval records, and billing metadata. This page summarizes the safeguards currently in place.
Accounts And Sessions
Passwords are hashed before storage, sessions use secure HTTP-only cookies in production, and sensitive account actions use same-origin checks and rate limits.
Review Links
Client review links are shareable bearer links by default. Designers can add access codes, pause links, set expirations, regenerate links, and invite reviewers through tokenized review URLs.
Uploaded Deliverables
Deliverables are served through authenticated application routes instead of as open static files. Uploads are validated by detected file type, size limits, image dimensions, randomized filenames, and private no-store streamed responses.
Supported new uploads are review-ready image deliverables: PNG, JPG/JPEG, and WebP. Files are validated by detected type, size, dimensions, and filename shape before storage. MarkApprove is intentionally not a final-file handoff or source-file transfer system.
Billing
Payments and subscriptions are handled by Stripe. MarkApprove stores billing identifiers and subscription status, but does not store full payment card numbers.
Backups And Operations
We maintain operational backups, run service health checks, and provide restore-drill tooling for recovery testing. Uploaded deliverables may be included in operational backups.
Report A Security Issue
If you believe private data is exposed or you found a vulnerability, email support@markapprove.com with enough detail to investigate. Please do not include passwords, payment card numbers, or highly sensitive client files in email.