Security & Data Handling

This page describes how we handle your data, credentials, and payments. We're a small team, so we're direct about what we do today, what we use third parties for, and what we don't yet have.

Infrastructure

We run on modern managed infrastructure rather than operating our own servers. This means the physical security, patching, and network-level DDoS protection is handled by providers with dedicated security teams.

  • Hosting: Netlify (SSR + static assets, global CDN)
  • Database: Supabase (managed Postgres, SOC 2 Type 2 compliant, hosted on AWS)
  • Payments: Stripe (PCI DSS Level 1 certified — we never see or store card data)
  • Email: Resend (transactional), SendGrid / provider TBD (marketing)

Authentication

  • Passwords are hashed by Supabase Auth (bcrypt) — we never store plaintext passwords
  • Session tokens live in httpOnly, secure cookies to mitigate XSS-based theft
  • CSRF tokens are issued per session and validated on all state-changing requests
  • Email verification is required on signup; Cloudflare Turnstile gates registration to block bot signups
  • Optional "remember me" extends session lifetime but does not bypass password requirements

Data Transit & Storage

  • All traffic is served over TLS 1.2+ (HTTPS-only via Netlify)
  • Data at rest is encrypted by Supabase's underlying AWS infrastructure (AES-256)
  • We follow least-privilege access: application queries use restricted service roles, not raw admin credentials

Access Control

Processes can be public, organization-private, or restricted to specific roles within an organization. We enforce access control at two layers:

  • Application layer: Permission checks on every API endpoint that reads or writes organization data
  • Database layer: Supabase Row-Level Security (RLS) policies so that direct queries cannot bypass our app logic
  • Organization roles (owner / admin / member / client / guest) gate what users can view, edit, and invite

Payments

All subscription billing is handled by Stripe. We never receive, process, or store credit card data. Payment information lives entirely in Stripe's PCI DSS Level 1 environment.

Our Stripe webhook handler validates signatures and plan IDs against a known whitelist before applying changes to a subscription.

Rate Limiting & Abuse Prevention

  • Rate limits on authentication, comments, onboarding tokens, and API endpoints to slow brute-force and scraping
  • Input sanitization on all user-generated content (HTML stripping, URL allowlisting, length caps)
  • Cloudflare Turnstile on signup to block automated account creation

Data You Export or Delete

You own your content. You can export or delete your processes, organization data, and account at any time. When an account is deleted, associated data is removed from our active database.

To request export or deletion, contact us at our contact page.

What We Don't Yet Have

We're a small team and we'd rather be honest about what's on the roadmap than imply certifications we don't hold:

  • We are not SOC 2 or ISO 27001 certified. Our infrastructure providers (Supabase, Stripe, AWS) hold these certifications.
  • We do not yet offer SSO, SCIM provisioning, or audit log exports. These are planned for the Enterprise tier.
  • We don't currently sign BAAs (no HIPAA-covered use cases).

If your organization has specific compliance requirements, reach out and we'll tell you honestly whether we can meet them today.

Reporting a Vulnerability

If you believe you've found a security issue, please email us via the contact form with the subject "Security" so we can triage it quickly. We'll acknowledge reports within 72 hours.