Security.

TLS 1.2+ for everything in transit. Application data sits in Supabase-managed PostgreSQL with disk encryption at rest. Cloud-provider credentials are stored in Supabase Vault, encrypted with a separate platform-managed key, and are never written to application tables or logs.

Sign-in uses Supabase magic-link one-time codes - no passwords. Every domain table enforces PostgreSQL row-level-security policies scoped to the requesting user’s organization, gated by a single SQL function. The Supabase service-role key (which bypasses RLS) is used only by the Stripe webhook endpoint.

Production access is limited to named engineers with individual accounts and strong authentication. We do not share service accounts. Direct database access is read-only for routine operations; write access is reserved for documented break-glass scenarios. Supabase performs automated daily backups; we test restores periodically.

If we confirm unauthorized access to or acquisition of Customer data, we will notify affected customers within 72 hours of confirmation, with what happened, what data was affected, what we are doing to contain it, and what customers should do. The contractual version of this commitment is in the DPA.

Found a security issue? Email [email protected] with a description and, if possible, reproduction steps. We will acknowledge within two business days and work with you on a fix. Please give us a reasonable window before sharing externally, do not access data that isn’t yours, and avoid testing that could degrade service for other customers. We do not run a paid bounty but will credit you publicly if you wish.