Security

Last updated: 2 June 2026

We take the security of your account and documents seriously. This page summarizes the measures we use and how to report a problem.

1. Data protection

• All traffic is encrypted in transit over HTTPS/TLS.
• Passwords are never stored in plain text — authentication is handled by Supabase and credentials are stored as salted hashes.
• Sessions use HTTP-only, secure cookies to reduce exposure to cross-site scripting.
• Files and data are stored with our infrastructure providers (Supabase) under their security and access controls.

2. Application security

• Rate limiting, bot detection, and request shielding via Arcjet to mitigate abuse and common attacks.
• Input validation on requests to the API.
• Payment data is processed by Stripe; we never handle full card numbers.

3. Your role

Use a strong, unique password and keep your credentials private. Sign out on shared devices, and let us know immediately if you suspect unauthorized access to your account.

4. Reporting a vulnerability

If you believe you have found a security vulnerability, please report it responsibly to [SECURITY CONTACT EMAIL]. Please give us a reasonable opportunity to investigate and fix the issue before any public disclosure. We appreciate the work of the security community and will acknowledge valid reports.

5. Changes

We may update this page as our practices evolve and will revise the “Last updated” date above.