SECURITY WITHOUT THE ENTERPRISE COSPLAY

Your product context is not content.

Three Moves needs enough context to make useful marketing decisions. That does not make your private roadmap, buyer notes, or account data material for a public feed.

WHAT IS IN PLACE

Six boundaries around the useful stuff.

Last reviewed July 15, 2026.

01
ACCOUNT ACCESS

Short-lived links. Hashed tokens.

Magic login links expire after 15 minutes and can be used once. Login and session tokens are stored as SHA-256 hashes, not readable tokens. Production session cookies are HTTP-only, secure, and same-site.

02
AI PLANNING

Relevant context, not your whole account.

When a generation runs, Three Moves sends the configured AI provider only the product, buyer, strategy, and recent-signal context needed for that output. Do not put credentials or sensitive personal data in notes.

03
URL INSPECTION

Public HTML only. Private networks blocked.

The landing-page grader accepts HTTPS pages, rejects local and private destinations, rechecks redirects, reads HTML only, limits downloads to 500 KB, times out after six seconds, and rate-limits requests.

04
PAYMENTS

Card details stay with Stripe.

Three Moves receives payment status and purchase references needed to activate access. Full card numbers and card security codes are handled by Stripe and are not stored in the Three Moves database.

05
COMMUNITY

Private until you deliberately publish.

Builder Cards, proof cards, and Proof Board participation are opt-in. Marketing inbox items, buyer notes, revenue, email addresses, and guest-test responses are not placed on public profiles.

06
OPERATIONS

Failures should leave evidence.

Administrative actions and scheduled-job results are logged. The founder console checks database, email, payments, scheduled work, AI, outbound access, and backup readiness before launch decisions are made.

THE HONEST LIMIT

Early-stage software—not a compliance costume.

Three Moves does not currently claim SOC 2 or ISO 27001 certification, a formal bug-bounty program, or an external penetration-test report. If your organization requires one of those controls, contact us before entering company-confidential information or purchasing access.

FOUND SOMETHING?

Report it privately. Give us a clean reproduction.

Include the affected URL, the behavior you observed, the potential impact, and safe reproduction steps. Do not access another person’s data, degrade the service, or publish unresolved details.

Send a private report