Placeholder copy — replace before public launch.Substance reflects the actual technical posture today.
Authentication
- Email + password auth managed by Supabase Auth. Passwords are bcrypt-hashed; we never see them.
- Email verification required before account activation.
- CAPTCHA (Cloudflare Turnstile) gates signup and the anonymous demo to slow bot abuse.
- Magic-link signin available as a passwordless alternative.
Tenant isolation
- Every user-data table has Postgres Row-Level Security (RLS) enabled. Reads and writes are scoped to
auth.uid()at the database level — so even a missingWHERE user_id = ...in application code cannot leak data between users. - A structural CI test fails any code change that uses the service-role Supabase client outside an allowlisted set of admin / cron / webhook routes.
Content storage
- Uploaded files are stored in Supabase Storage with per-user/per-vault path prefixes.
- Storage RLS policies match the database RLS — only the owner can read.
- Files indexed for retrieval are passed to Google Gemini File Search; per Google's API terms, this content is not used for model training.
Network and transport
- All traffic is HTTPS-only. HSTS is enabled.
- API traffic goes through Cloudflare (DDoS protection, WAF).
- The chat endpoint enforces per-user rate limits (60 chat/min, 50 queries/month on free) and per-org daily cost ceilings ($50/day) to prevent runaway spend.
Payments
Payment processing is handled by Stripe Checkout. We never receive or store card numbers. Subscription state is synced via Stripe webhooks with signature verification + replay detection.
Operational practices
- Daily encrypted database backups; periodic restore drills.
- UptimeRobot + status page for service availability.
- Better Stack Logs for structured logging; PII scrubbed at log boundary.
- Sentry for error tracking (no PII in error reports).
Reporting a vulnerability
Found something? Email [email protected] with details. We will acknowledge within 2 business days and coordinate on disclosure.