Supoid

Legal

Security

Last updated: May 1, 2026

Supoid is built by a solo founder who takes security seriously because one breach is one too many. This page documents the controls in place. Found a bug? Email security@supoid.com — see our responsible disclosure page.

Encryption

  • In transit — TLS 1.3 with strong ciphers; HTTP-only redirects to HTTPS; HSTS with preload-eligible policy
  • At rest — Supabase storage encryption + AES-256-GCM application-layer encryption for sensitive fields (webhook signing keys, 2FA secrets)
  • Backups — daily encrypted snapshots, 7-day point-in-time recovery
  • API keys — stored as SHA-256 hashes; plaintext is shown exactly once at create time
  • Passwords — Argon2id hashing via Better Auth
  • IP addresses — never stored raw; HMAC-SHA-256 fingerprints only

Authentication and access control

  • Email + password (verified) or Google / GitHub OAuth via Better Auth
  • TOTP-based two-factor authentication (Settings → Security)
  • Per-workspace RBAC: owner, admin, member — least-privilege by default
  • Active session list with single-click revoke
  • Per-API-key scopes (feedback:read, etc.) — see the API docs

Database security

  • Postgres 17 hosted on Supabase EU (Frankfurt)
  • Row-level security on every user-data table. Application connections run under the authenticated Postgres role with a per-request app.current_user_id GUC; policies enforce workspace isolation server-side
  • Service-role connections (background jobs, webhooks) use a separate client and are explicit in code
  • Daily backups + point-in-time recovery (7 days)

Infrastructure

  • Hosted on Vercel (SOC 2 Type II) with global edge delivery and Fluid Compute functions
  • Managed Postgres on Supabase (SOC 2 Type II); Frankfurt region for EU data residency
  • Background jobs on Inngest with retries, concurrency limits, and idempotency
  • Rate limiting on Upstash Redis (sliding window)
  • Monitoring on Sentry (errors) and PostHog (product analytics)

Application security

  • Strict Content Security Policy with per-request nonce + strict-dynamic
  • HSTS, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, restrictive Permissions-Policy
  • Input validated by Zod at every server-action and API boundary
  • User-supplied Markdown rendered via react-markdown + rehype-sanitize; tag/attr allowlist enforced
  • Outbound webhook signatures (HMAC SHA-256) with timestamp-based replay protection
  • AI calls receive PII-masked text (regex-masked emails, phone numbers, common credentials) and zero-data-retention provider agreements

Incident response

  • Founder is on-call; alerts go to phone + email via Sentry, PostHog, Polar, Inngest, and Supabase
  • Public status page at status.supoid.com
  • Personal-data breaches notified within 72 hours per GDPR Art. 33
  • Internal runbook covers DDoS, DB outage, AI provider failure, payment provider outage, and suspected leaks

Compliance

  • GDPR-aligned (controller / processor split, DPA available)
  • KVKK-aligned (Türkiye)
  • CCPA-aligned (no sale of personal data)
  • SOC 2 — not certified yet; on the post-Series A roadmap. Hosting providers are SOC 2 Type II.

Reporting a vulnerability

Email security@supoid.com. We acknowledge within 1 business day and prioritise based on severity. See our responsible disclosure policy for scope, timelines, and our hall of fame.