Security — in plain English.
We don't pretend to be SOC 2 today. We do publish what we actually do, and how to reach us if you find something.
Practices
Data in transit
TLS 1.3 enforced for every connection. HSTS preloaded. Strict cookie attributes (Secure, HttpOnly, SameSite=Lax) on every session cookie.
Data at rest
Postgres at-rest encryption via Supabase (AES-256). Object storage encrypted with provider-managed keys. Row-level security on every user-facing table.
Authentication
Supabase Auth with rotating refresh tokens. Service-role keys are scoped to specific cron and webhook routes — never used in client paths.
Webhook signing
Outbound webhooks are HMAC-SHA256 signed with a per-site rotating secret. Replay window is 5 minutes; clock skew tolerance is 60 seconds.
LLM provider boundaries
We send the URLs and prompts you configure to the providers required to run your audit. We do not log raw responses beyond the citation snapshot. We never train on your data.
Backups
Daily logical backups, 30-day retention. Point-in-time recovery up to 7 days on the primary database.
Coordinated disclosure
- 01
Send a report
Email security@acribe.com. Encrypted with our PGP key (fingerprint published below). Include reproduction steps and impact.
- 02
We acknowledge in 24h
Weekday acknowledgement within 24 hours. We assign a tracking ID and a single point of contact.
- 03
We fix and disclose together
We aim to ship a fix within 30 days for high-severity issues. We coordinate disclosure timing with you. Researchers credited on request.
PGP fingerprint
A1B2 C3D4 E5F6 7890 1234 5678 9ABC DEF0 1122 3344
Public key available on request from security@acribe.com.
Out of scope
- Self-XSS and clickjacking on pages without sensitive actions.
- Missing security headers without a demonstrated impact.
- Rate-limit findings on unauthenticated endpoints already protected by Turnstile.
- Vulnerabilities requiring physical access to a user's device.