Infrastructure
TLS in transit
All client-server traffic uses TLS 1.2+. HSTS is enforced. Certificate pinning is not implemented.
Encryption at rest
R2 objects are encrypted with AES-256 by Cloudflare. Database backups are encrypted. Key management is handled by the infrastructure provider.
Network boundaries
Server runs on Fly.io with private networking. Database (Supabase) is accessible only from the application VPC. No public database ports.
Dependency patching
Critical vulnerabilities are patched within 72 hours of advisory publication. Patch status is tracked in the operator dashboard.
Authentication and authorization
- Auth: Supabase Auth with email/password and OAuth providers. JWT sessions with refresh tokens.
- Role-based access: Workspace roles (owner, admin, reviewer, viewer) restrict actions at the API layer. Role changes are logged.
- Tier enforcement: Feature gates are checked in route middleware and again at stage runtime. A user cannot bypass tier limits by calling the API directly.
- API keys: Scoped to workspace and tier. Keys can be revoked instantly. Usage is logged.
What we do not do
- We do not perform independent penetration testing on a fixed schedule. Testing is event-driven (major releases, dependency upgrades) and conducted by the founder.
- We do not hold a SOC 2 or ISO 27001 certification. The platform is early-stage and prioritizes technical controls over compliance paper trails.
- We do not guarantee zero-day immunity. We patch fast and maintain dependency hygiene.
- We do not operate a bug bounty program at this time. Reports should be sent to [email protected] .
Review detailed compliance and evidence controls.