A security posture stated plainly.
What we collect, where it is processed, who can access it, and which review materials exist today — without invented certifications or over-promised timelines.
Access
Dashboard access uses Supabase Auth with workspace roles — owner, admin, and member — and auditable ownership boundaries.
Data
Traffic is encrypted in transit with TLS. Managed providers encrypt application and warehouse data at rest.
Subprocessors
Hosting, warehouse, auth, cache, billing, and email vendors are listed in the legal packet and updated as they change.
Incident response
Incident handling follows an internal severity and ownership process. We document it rather than imply SLA timelines we cannot guarantee. We are not SOC 2 certified yet and will not claim otherwise.
Review materials
For vendor review, use the data processing agreement, the published subprocessors list, and a direct security conversation together. Assume nothing that is not stated here.
Need the full security packet?
Use the DPA, subprocessors page, and security contact together for procurement review.