Last updated: April 1, 2026
All data in transit is protected with TLS 1.3 encryption. Database connections use SSL. No sensitive data is stored in plain text.
User authentication is managed by Clerk, which provides enterprise-grade security including session management, MFA support, and bot detection.
Each user's data is isolated using Supabase Row Level Security (RLS) policies. Server-side operations use service role keys that bypass RLS only for authorized operations.
All API endpoints require authentication via Clerk middleware. Rate limiting (20 requests/hour) prevents abuse. File upload is limited to 10MB with type validation.
All secrets (API keys, database credentials) are stored as environment variables, never committed to source control. A .env.example file documents required variables without values.
If you discover a security vulnerability, please report it through the contact information available in your account settings. We take all reports seriously and will respond promptly.