Security

1. Encryption

• At rest — all data stored in our Supabase PostgreSQL database is encrypted at rest using AES-256. File attachments stored in Supabase Storage are also encrypted at the block-storage level.
• In transit — all communication between your browser and our servers is protected by TLS 1.2 or higher. We enforce HTTPS across every endpoint and redirect plain HTTP connections automatically.
• Passwords — user passwords are never stored in plaintext. Supabase Auth handles credential hashing using bcrypt with a strong work factor.

2. Tenant Isolation

Every customer organization is a separate tenant with strict data isolation enforced at the database layer:

• Row-Level Security (RLS) — all multi-tenant tables in PostgreSQL have RLS policies enabled. Each policy calls a requesting_org_id() helper that reads the authenticated user's org_id claim from the JWT, ensuring a query can only return rows belonging to the caller's organization.
• org_id scoping — every server-side API call extracts the org_id from the authenticated JWT before any database operation. There is no path to access another tenant's data through the application layer.
• No shared secrets — API keys and integration credentials are stored per-organization and are never accessible to other tenants.

3. Authentication

• Forbiddance uses Supabase Auth, a hardened authentication service built on industry-standard protocols (OAuth 2.0, PKCE).
• Multi-factor authentication (MFA) via TOTP authenticator apps is supported and recommended for all accounts.
• Session tokens are short-lived JWTs with automatic refresh. Revocation takes effect within seconds via Supabase's token invalidation mechanism.
• OAuth integrations (GitHub, Google, etc.) use short-lived authorization codes and scoped access tokens stored encrypted in the database.

4. Infrastructure

• Forbiddance's backend is hosted on Supabase's managed cloud infrastructure, which runs on AWS with SOC 2 Type II certification.
• The application is deployed on Vercel, a SOC 2 Type II certified platform with automatic DDoS mitigation and global edge caching.
• Automated database backups are taken daily with point-in-time recovery available. Backups are stored in a separate region from primary data.
• Production infrastructure access is restricted to authorized Forbiddance engineers via role-based access control and MFA-protected accounts.

5. SOC 2 Alignment

We practice what we preach. Forbiddance's own internal security program is designed around the SOC 2 Trust Services Criteria:

• Security (CC) — logical access controls, vendor risk management, and change management processes are in place and monitored.
• Availability (A) — we maintain uptime targets and have incident response procedures for outages.
• Confidentiality (C) — customer compliance data is classified as confidential and handled accordingly throughout its lifecycle.
• Processing Integrity (PI) — AI-generated outputs are clearly labeled and intended as guidance, not authoritative compliance decisions.

6. Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue in Forbiddance, please report it to us privately before publishing:

• Email security@forbiddance.io with a description of the vulnerability and steps to reproduce.
• We commit to acknowledging your report within 2 business days and providing a remediation timeline within 7 business days.
• We will not pursue legal action against researchers who report vulnerabilities in good faith and follow responsible disclosure practices.