Skip to main content

Security

Security-First Design

We process only publicly available government data. No private consumer information. No scraped personal data. Built with security at every layer.

Security-First Design

Security headers, input validation, and secure defaults at every layer.

Public Data Only

We only process publicly available government records. Zero private consumer data.

Enterprise-Grade Hosting

Hosted on Vercel with global edge network, automatic DDoS protection, and enterprise-grade reliability.

Data Sources & Privacy

United Current exclusively processes data from authoritative, publicly available government sources. These include the EPA Safe Drinking Water Act database, state regulatory filings, State Revolving Fund priority lists, federal grant and award records, and other official public records.

We do not collect, store, or process any of the following:

  • Private consumer data or personally identifiable information (PII) of private citizens
  • Social media data or web scraping of private platforms
  • Purchased marketing lists or third-party consumer databases
  • Financial account information of individuals
  • Health records or protected health information (PHI)

The contact information in our platform, including names, titles, emails, and phone numbers of water utility officials, is sourced exclusively from official public records, government directories, and publicly available utility board documents.

HTTPS Everywhere

All connections to our website and services are encrypted using TLS. We enforce HTTPS across all pages and API endpoints. Our Strict-Transport-Security (HSTS) header ensures browsers always use secure connections, with a max-age of two years and preload eligibility.

Security Headers

Our website is configured with comprehensive security headers to protect against common web vulnerabilities:

Content Security Policy (CSP): restricts resource loading origins
Strict-Transport-Security (HSTS): enforces HTTPS connections
X-Frame-Options: prevents clickjacking attacks
X-Content-Type-Options: prevents MIME-type sniffing
Referrer-Policy: controls information sent in referrer headers
Permissions-Policy: restricts browser feature access

Application Security

Our website follows security best practices including server-side input validation and sanitization on all form submissions, honeypot fields for spam prevention, and secure API routes with proper error handling. We conduct regular dependency audits and keep all packages up to date.

Hosting Infrastructure

Our website is hosted on Vercel, a leading cloud platform with enterprise-grade security. Vercel's infrastructure provides:

  • Global edge network with automatic DDoS protection
  • TLS encryption for all data in transit
  • Automated deployments with preview environments
  • Enterprise-grade uptime and reliability

For details on Vercel's security certifications, visit Vercel's security page directly.

Cookie Consent

We respect user privacy and only set analytics cookies after explicit consent. Our cookie banner gives visitors clear control over their tracking preferences. No third-party analytics scripts are loaded until consent is granted.

Responsible Disclosure

If you discover a security vulnerability in our website or systems, we encourage responsible disclosure. Please report any findings to security@unitedcurrent.com. We will acknowledge receipt within 48 hours and work with you to understand and address the issue promptly.

Questions

For security-related questions, contact us at security@unitedcurrent.com.