trust & security.
clear boundaries. deliberate controls. no theatre.
payments.
checkout is handled by stripe. strategiq does not store full payment card numbers or card security codes.
paid access.
paid intake is tied to a valid stripe checkout session. unpaid or invalid sessions are not accepted by the intake workflow.
server-side secrets.
production credentials are kept in server-side environment storage and are not included in public page code. administrative database access is restricted to server routes that require it.
webhook verification.
stripe webhook requests are verified against the raw request body before payment events are processed. unsupported events are ignored and duplicate event handling is designed to be idempotent.
queue controls.
automation jobs are leased one at a time, authenticated with a worker secret, validated before delivery, and sent with job identifiers for downstream duplicate protection.
data minimization.
forms request only the information needed to assess the business, deliver the purchased work, and maintain required transaction and service records.
responsible disclosure.
security concerns may be submitted through the contact page. do not include passwords, payment card data, private keys, or other credentials in a report.