Security Policy

Last updated: May 2026

How We Protect Your Data

SSL/TLS Encryption

All data in transit is encrypted using TLS 1.3

Supabase Row Level Security

Database access is restricted per user via RLS policies

Secure Password Hashing

Passwords are hashed using bcrypt with salt rounds

Cloudflare DDoS Protection

All traffic passes through Cloudflare's global network

Regular Security Audits

We conduct quarterly security reviews

Least Privilege Access

Employees only access data needed for their role

Data Centre Security

  • DigitalOcean data centres with 24/7 physical security monitoring
  • ISO 27001 compliant infrastructure
  • Geographic redundancy across multiple availability zones
  • Regular automated backups with point-in-time recovery

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly:

Email: [email protected]

Subject: Security Vulnerability Report

Response time: We acknowledge within 24 hours

Resolution target: Critical issues within 72 hours

Responsible Disclosure Guidelines

  • Do not access or modify other users' data
  • Do not perform denial of service attacks
  • Do not publicly disclose the issue before we have resolved it
  • Provide sufficient detail to reproduce the issue

We are grateful to security researchers who report vulnerabilities. We do not currently offer a monetary bug bounty programme, but we do acknowledge researchers in our security hall of fame.

Incident Response

In the event of a security incident affecting user data, we will notify affected users within 72 hours via email and post a status update at our status page. We will provide details of what happened, what data was affected, and what steps we are taking to prevent recurrence.