Paced is built to keep your account and your ride data safe. Here is how we protect it.
All user authentication is handled by Firebase Authentication (Google). Paced never stores passwords. Firebase manages credential storage, session tokens, and token rotation securely.
Every API request is authenticated server-side: the Firebase Admin SDK verifies ID tokens on each request, ensuring only the token's owner can access their rides and account data.
Every request to the Paced backend must carry a valid Firebase ID token, which is verified server-side before any data is read or written. Requests without a valid token are rejected.
Cross-origin requests are restricted to approved origins, and rate limiting is applied to sensitive endpoints to protect against automated abuse.
All data is encrypted in transit via HTTPS (TLS 1.2+). HSTS is enforced in production with a two-year max-age and subdomain inclusion to prevent downgrade attacks.
Data at rest is encrypted by Google Cloud (Firestore) using AES-256 by default.
Each Paced user's rides and profile are stored under a unique account-scoped path in Firestore. Firestore Security Rules enforce that no user can read or write another user's data via the client SDK.
Server-side API endpoints verify the caller's identity before accessing any data, and cross-account access is blocked at the API layer.
Paced is hosted on Vercel, a SOC 2 Type II certified platform. Application functions run as serverless edge-adjacent compute. There are no persistent servers to patch or secure.
Data is stored in Google Cloud Firestore, part of Google's ISO 27001, SOC 1/2/3, and PCI-DSS certified infrastructure. Firebase itself benefits from Google's security investment at scale.
All Paced responses include the following security headers:
Strict-Transport-Security (HSTS) — enforces HTTPSX-Frame-Options: DENY — prevents clickjackingX-Content-Type-Options: nosniff — prevents MIME sniffingReferrer-Policy: strict-origin-when-cross-originPermissions-Policy — disables unused browser APIsPaced only stores what it needs to run: your account email and the rides you choose to log (distance, duration, elevation, route name, ride type, and notes). We do not collect data about you from anywhere else.
We do not use advertising cookies, third-party analytics, or cross-site tracking of any kind. Your ride data is never sold or shared with advertisers.
You can delete any individual ride at any time, and deleting your account removes your rides and profile from our database.
In the event of a security incident affecting user data, Paced will:
Current platform status is available on our system status page.
If you discover a security vulnerability in Paced, please report it responsibly via our support page. We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate.
We will acknowledge your report within 5 business days and keep you informed of progress.
Internal access to user data is restricted by role and requires authentication. The Paced admin panel is protected by a server-side allowlist in addition to role verification — access cannot be granted by modifying client-side state alone.
We do not access your data except as required to provide support (with your permission), investigate incidents, or comply with legal obligations.