All traffic to bupkis.app uses TLS 1.3 with modern cipher suites · enforced by Vercel's edge. Data at rest in Supabase Postgres is encrypted with AES-256 (Supabase default). Stripe handles all payment-method storage · we never see raw card numbers. Secrets (LLM provider API keys, webhook secrets) are stored in Vercel encrypted environment variables.
User authentication via Supabase Auth · magic link or OAuth provider. API access via Bearer tokens (bk_live_...) scoped to a workspace · revocable from the keys page. Cookie-auth routes are protected by same-origin (CSRF) checks. Admin access requires 2FA, IP allowlist, and short-lived re-auth tokens for destructive actions.
Every database query scopes by workspace_id. Workspace membership is enforced server-side · the cookie that selects the active workspace is validated against actual membership before any query runs. Forks, installs, runs, threads, and agents are all workspace-scoped · cross-workspace data leakage is structurally impossible.
Every admin action writes to a hash-chained audit log. Each row carries the SHA-256 hash of the previous row · a verifier cron runs daily and alerts our security channel if the chain breaks. Refunds, account-deletions, manual cashouts, and tier changes are all logged with the admin user id, timestamp, and IP address.
All monetary state changes (wallet credits, cashouts, refunds, cashback payouts) flow through a single ledger table with advisory locks and partial unique indexes preventing race conditions. Payouts are idempotency-keyed at Stripe · the same payout cannot fire twice. Overage billing is hard-capped per tier · accounts cannot accumulate runaway charges.
We monitor Vercel runtime logs, Stripe webhook failure rates, and database error rates. Slack alerts fire to our ops channel within minutes of any anomaly. Production incidents are triaged immediately · users impacted by an outage are emailed once root cause is identified.
We take security seriously · please report any vulnerability you find to security@bupkis.app. PGP key available on request. We acknowledge reports within 48 hours and aim to patch high-severity issues within 7 days. We don't yet run a formal bug bounty · we'll happily credit researchers and Swag-You-Up.
Bupkis is GDPR + CCPA compliant for end-user data rights · see the privacy policy for the full data-rights flow. SOC 2 Type II is in progress · we're using Drata to attestation. PCI scope is limited (we never touch raw cards · Stripe handles all PCI-DSS responsibilities).