Security & Data Protection

Data transmission

SSL / TLS encryption

All data transmitted between customers, businesses, and Nextro is encrypted using TLS (HTTPS). No data is transmitted over unencrypted connections.

Authentication

Secure business account authentication

Business accounts are secured using Firebase Authentication — a Google-managed authentication service. Passwords are hashed and never stored in plain text. Nextro uses secure, httpOnly session cookies.

Payment security

PCI-DSS compliant card processing via Stripe

Nextro never stores card numbers, CVVs, or cardholder data. All card processing is handled by Stripe Technology Europe, Limited — a PCI-DSS certified payment processor. Nextro only receives a transaction reference and payment status.

Data storage

Encrypted cloud storage via Google Firebase

Business and customer data is stored in Google Firebase — encrypted at rest and in transit. Firebase complies with ISO 27001, SOC 1, SOC 2, and SOC 3 security standards.

Access controls

Role-based access

Business data is accessible only to the authenticated account holder. Nextro staff access to production data is restricted, audited, and limited to authorised personnel for operational purposes only.

Data protection

UK GDPR compliance

Nextro is operated by COACHFLO LTD and complies with UK GDPR and the Data Protection Act 2018. Customers and businesses have the right to access, correct, and request deletion of their personal data.

Vulnerability management

Dependency security

Nextro's codebase is managed with regular dependency audits. The platform is deployed on Vercel with automatic security updates for the hosting infrastructure.

Stripe Connect

Stripe Connect security

Businesses connect their Stripe account via the official Stripe Connect OAuth flow. Nextro never has access to business bank account details — only a Stripe account reference. Stripe handles all identity verification under their own compliance framework.