suPlayPurchasing GameBeer GameMinigamesPollSSA
Suplay · Games & Tools

Security Summary

Last updated: May 2026

Suplay Games & Tools is designed to collect as little personal data as possible — there are no accounts, no passwords, no email addresses, and no cookies. Most data lives in your own browser’s localStorage and never leaves your device unless attached to a game attempt you submit. This page summarises the additional measures we apply to protect what we do process.

Hosting and data residency

  • All application data is hosted on dedicated infrastructure operated by TransIP / team.blue in the Netherlands (EU).
  • No customer data is stored outside the EU.
  • The Node.js application is not directly exposed to the public internet; traffic arrives via an Apache reverse proxy over HTTPS only.

Transport and storage

  • TLS 1.2+ is enforced for all external traffic, with HTTP Strict Transport Security (HSTS) set at a long max-age including subdomains.
  • The database password is stored in a 0640 file readable only by the unprivileged service user.
  • Database backups are encrypted (GPG AES-256) with a key held by suPlay B.V. only, stored off-site in an EU region.

Application-level controls

  • All database queries use parameterised statements via the Prisma ORM; user input is never concatenated into SQL.
  • API request bodies are validated against strict Zod schemas; unknown fields are rejected.
  • The free-text fields (display name, BATNA card) are length-limited and rendered as text, never injected as HTML.
  • Security response headers are sent on every page: X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, Referrer-Policy: strict-origin-when-cross-origin, Strict-Transport-Security, and a restrictive Content-Security-Policy.
  • The site sets no third-party scripts and embeds no third-party iframes.

Operational controls

  • The Node.js process runs as an unprivileged systemd-supervised user (minigames), never as root.
  • SSH access to the host is key-only on a non-standard port; bruteforce attempts are throttled by fail2ban.
  • The host firewall permits only ports 80, 443, SSH and WireGuard inbound.
  • The database listens on localhost only; no remote connections are accepted.
  • OS packages are kept up to date with automatic security updates.

Logging

  • Standard server access logs are rotated after 14 days.
  • We do not log player display names, IP addresses linked to attempts, or game payload contents in long-term logs.

Reporting a vulnerability

If you believe you’ve found a security vulnerability, please report it to privacy@suplay.nl before disclosing publicly. We acknowledge reports within two working days.