Security & Infrastructure
Last updated: April 12, 2026 · Version 1.0
Overview
This page summarizes how we think about security and which vendors process data on our behalf. It is informational and may be updated as our stack evolves.
Practices
- TLS for traffic in transit.
- Security headers, including CSP and HSTS, on the web app.
- Authenticated API routes, with reverification for sensitive actions where implemented.
- Webhooks verified with provider signatures.
- Payment entitlements validated against actual checkout line items.
- Least-privilege access patterns for databases and secrets where we control keys.
- Minimal Inngest event payloads, with sensitive fragments encrypted before leaving the app.
Subprocessors
| Vendor | Role | Typical data | | --- | --- | --- | | Vercel | Application hosting and edge delivery | Runs application code; may process requests and logs per vendor policy. | | Clerk | Authentication and user identity | Account identifiers, session, profile fields you provide. | | Stripe | Payments | Payment processing; we do not store full card data on our servers. | | Supabase | Database (analytical / report storage) | Pseudonymous scores and report-related fields as described in our Privacy Policy. | | Upstash | Redis (rate limits, short-lived processing keys, coordination) | Technical keys, counters, short-lived workflow context, and ephemeral upload processing state. | | Infisical | Secrets vault (optional matching bridge) | Technical mapping for the matching feature when enabled. | | Inngest | Background workflows and realtime delivery | Minimal job metadata and encrypted workflow fragments needed to run reports. | | AI gateway / model providers | Model inference for the assessment pipeline | Prompts and model outputs during processing, governed by provider terms and your gateway settings. |
Vulnerability reporting
If you believe you have found a security issue, please report it responsibly. Include enough detail to reproduce the issue and allow us to fix it before public disclosure. We appreciate good-faith research.
See also Privacy Policy and Terms of Service.
Configure SECURITY_CONTACT_EMAIL in your deployment environment to show a dedicated inbox here and in /.well-known/security.txt.