SECURITY

1. DATA HOSTING

Supabase EU, Frankfurt. All customer data stored in the European Union. GDPR-compliant infrastructure: data never leaves the EU in the course of normal operation.

2. ENCRYPTION

• —TLS 1.2+ in transit (via Cloudflare). HSTS with a 1-year max-age on both marketing and app domains.
• —AES-256 at rest (Supabase-managed). Postgres data and backups encrypted by the platform.
• —All third-party API keys (Anthropic, Deepgram, Stripe, Resend, PostHog, Sentry) live in Cloudflare Pages and Supabase Edge Function secrets. Nothing is committed to git. Rotation cadence: scheduled quarterly; immediate on any suspected exposure.

3. ACCESS CONTROLS

• —Row-Level Security on every table. No SQL path lets one account read another's rows; policies are enforced in the database, not the application layer.
• —MFA required for all admin accounts (GitHub, Supabase, Cloudflare, Stripe, Firebase, domain registrar).
• —All production deploys go through PR review + environment-gated approval. The `backend-production` GitHub Environment requires a human reviewer before Edge Functions or migrations ship.
• —JWT sessions issued by Supabase Auth, one-hour access tokens, rotating refresh tokens. Native apps support biometric + PIN lock gating before any authenticated content renders.
• —Cloudflare Turnstile on sign-up and login; Google OAuth callbacks verified against an allow-list (no open redirect).

4. VULNERABILITY MANAGEMENT

• —Continuous dependency scanning via GitHub Dependabot. Security advisories trigger a same-week patch SLA when exploitable.
• —Regular penetration tests. See Open audits below.
• —Responsible-disclosure program at [email protected]. See contact details below.
• —CI runs TypeScript strict-mode checks, 4 ESLint governance rules, 300+ unit tests, and 90+ Playwright viewport tests on every pull request. Red builds do not merge.

5. INCIDENT RESPONSE

• —72-hour breach notification target per GDPR.
• —Dedicated on-call during business hours (EU).
• —Post-mortem published to affected customers within 14 days of resolution.
• —Sentry captures server + client error telemetry across all 11 Edge Functions. Rate-limit anomalies and authentication failures trigger alerts.

6. CERTIFICATIONS

We do not currently hold formal certifications (SOC 2, ISO 27001). SOC 2 Type I is on our 2026 roadmap, triggered by enterprise deal flow. See our compliance roadmap for the forward plan.

7. SUBPROCESSORS

Our full list of sub-processors (including Supabase, Cloudflare, Stripe, Resend, PostHog, Sentry, and Firebase) is maintained at /subprocessors. Changes are published within 30 days.

8. RESPONSIBLE DISCLOSURE

Security researchers and curious users alike are welcome to report anything that looks off. We publish a machine-readable contact at /.well-known/security.txt per RFC 9116.

Safe harbor. We will not pursue legal action against researchers who report vulnerabilities in good faith and follow our disclosure policy. Please give us a reasonable disclosure window (30–90 days) before publishing, and do not run automated scans against our infrastructure. We do not run a formal bounty program yet; goodwill bounties are awarded case-by-case.

9. OPEN AUDITS

Periodic internal attack-surface audits are written up under docs/audits/ in the public source tree: 40+ reports across 8 rounds covering RLS, attack-surface, Supabase posture, ship-readiness, secrets scanning, pre-launch comprehensive review, architecture, QA, aesthetic review, production regression, and load test. The most recent pen-test round (API + MCP + webhooks) is tracked in the current sprint under docs/superpowers/specs/2026-04-19-api-mcp-pentest-sprint.md.