Security

Built secure from the ground up.

We don't bolt security on after the fact. Isolation, encryption, and least-privilege access are architectural defaults — not optional add-ons.

Data isolation

  • Every workspace is fully isolated via Supabase Row Level Security — no cross-tenant data leakage is possible at the database layer
  • Service-role key never exposed to client-side code — all DB writes go through authenticated server functions
  • Workspace ID validated on every query at both the RLS and application layers

Transport & storage

  • All data in transit encrypted with TLS 1.3
  • Data at rest encrypted with AES-256 by Supabase (managed Postgres on AWS)
  • Secrets (API keys, auth tokens) stored in Cloudflare Worker secrets — never in source code or environment files

Infrastructure

  • Deployed on Cloudflare Workers — no server to patch, no IP to attack
  • Supabase-managed Postgres with automated backups and point-in-time recovery
  • Twilio webhook requests validated with HMAC-SHA1 signature before processing
  • CF KV rate limiting: 30 webhook requests/min per channel, 100 requests/min per workspace

Access control

  • Role-based access: Owner → Admin → Member — each role scoped at the workspace level
  • Invite tokens are cryptographically random UUIDs, expire in 7 days, and are single-use
  • All platform-admin actions logged to audit_log with user ID and timestamp
  • Password reset via Supabase secure token flow — no plain-text tokens in URLs

Responsible disclosure

If you discover a security vulnerability, please disclose it responsibly. Contact us via the form below and we'll respond within 48 hours.

Report a vulnerability