Security
A practical security posture for a controlled pilot.
This page describes the current direction, not a certification claim. The goal is to make the test version clear enough for serious teams to evaluate without pretending the product is already enterprise-complete.
Essential cookies
Authentication, session continuity, security checks, and routing.
Scoped access
Workspace membership and role checks before client operations.
API key handling
Plaintext shown only at creation or rotation; stored secrets are hashed.
No ad tracking
No advertising pixels in the launch posture.
Authentication
Email/password and OAuth sign-in use Supabase Auth flows. Account recovery and confirmation links are tied to the same browser/session path where practical.
Workspace access
Users enter organization workspaces through membership and role checks. Admin and client surfaces are separated in the application.
API keys
API key workflows are designed so plaintext keys are shown only at creation or rotation time; stored records use hashed secrets and scoped organization metadata.
Abuse prevention
Turnstile checks can protect registration, login, and recovery flows. Security events and request context are logged for troubleshooting and abuse review.
Infrastructure
The web app is hosted on Vercel, data services use Supabase, email delivery uses Resend, and DNS/security controls use Cloudflare where configured.
Privacy defaults
No advertising tracking in the launch posture.
The public website and platform are intended to start with essential/auth/security cookies only. If non-essential analytics or marketing tools are introduced later, consent handling and policy updates will come first.
Before production launch
Publish the final legal entity and address in the Privacy Policy.
Enable the privacy mailbox and document the subprocessors list.
Publish a practical retention schedule for accounts, support requests, logs, and reports.
Finalize the DPA for B2B customers who need processor terms.