Skip to content

Trust

Security

How we protect data and systems — infrastructure, encryption, access, monitoring, and how to report a vulnerability.

Last updated · July 2, 2026
v1.1
Active

Infrastructure

We build on managed, reputable cloud infrastructure with isolated environments for development, staging, and production. Infrastructure is provisioned as code and reviewed before changes ship.

Encryption

  • TLS for all data in transit.
  • Encryption at rest for databases, storage, and backups.
  • Secrets never stored in source control.

Authentication

Access uses modern authentication with OAuth providers (Google, GitHub) and email/password. We support strong password policies and encourage provider-managed 2FA.

Backups

Production data is backed up on a regular schedule with point-in-time recovery available on our managed database tier.

Access control

We apply role-based access control (RBAC) and least privilege. Row-level security policies enforce data isolation at the database layer, not just the application.

note
policy: enable RLS on every table
rule:   users read/write only their own rows
staff:  scoped by verified role, never client-set

Secrets management

Credentials and API keys live in managed secret stores and environment configuration — never in the client bundle or the repository. Service-role keys never reach the browser.

Monitoring

We monitor application errors, runtime exceptions, and infrastructure health, with alerting on anomalies so issues are caught early.

Incident response

  • Detect & triage severity.
  • Contain and mitigate impact.
  • Notify affected parties per obligations.
  • Remediate root cause and document learnings.

Responsible disclosure

Found a vulnerability?

Report it privately through our contact page. We acknowledge reports promptly, investigate, and will not pursue good-faith researchers who follow responsible disclosure.

Compliance roadmap

We follow SOC 2-aligned practices today and are maturing toward formal certification. This page reflects current, app-visible controls — it is not itself an independent certification.

Frequently asked

Questions about this document? Reach us at our contact page.

Let's build something that compounds.

Tell us about your product, systems or automation goals. We'll map a path forward.