Trust Center

Security

Security isn't just a feature at CodeSec — it's our reason for existing. Here's how we protect your data and infrastructure.

Version

1.0

Last Updated

May 30, 2026

Effective

Immediately

All Systems Operational·Trust Center →
01

Infrastructure Security

  • Hosted on Hetzner Cloud and Vercel with automatic DDoS mitigation
  • Supabase-managed PostgreSQL with row-level security on all tables
  • Private network isolation — database never exposed to public internet
  • Automated backups with point-in-time recovery (PITR)
  • Infrastructure access restricted by IP allowlist and MFA
02

Data Encryption

  • TLS 1.3 for all data in transit — TLS 1.0/1.1 disabled
  • AES-256 encryption for data at rest (Supabase managed keys)
  • Encrypted backups with separate encryption keys
  • Sensitive fields (API keys, secrets) additionally encrypted at application layer
  • HTTPS enforced everywhere — HTTP requests are redirected
03

Application Security

  • OWASP Top 10 mitigations built into all API routes
  • Input validation and sanitization on all user-supplied data
  • CSRF protection on all state-mutating endpoints
  • Rate limiting on authentication and API endpoints
  • Content Security Policy (CSP) headers on all responses
  • Regular dependency audits with automated CVE scanning (using CodeSec)
04

Authentication

  • Powered by Supabase Auth with battle-tested JWT implementation
  • OAuth 2.0 with GitHub and Google for social login
  • Multi-factor authentication (MFA) available for all accounts
  • Session tokens rotated on each use (refresh token rotation)
  • Brute-force protection with automatic account lockout
  • Secure password hashing using bcrypt with salt rounds
05

Monitoring & Alerting

  • 24/7 infrastructure monitoring with automated alerting
  • Real-time security event logging and audit trails
  • Anomaly detection for unusual access patterns
  • Automated alerts for failed authentication attempts
  • Uptime monitoring with sub-minute detection of outages
06

Access Controls

  • Principle of least privilege for all internal systems
  • Role-based access control (RBAC) for team workspaces
  • Workspace isolation — data is never shared across accounts
  • Admin access is logged and audited
  • Separation of duties for production deployments
07

Responsible Disclosure Program

We welcome responsible disclosure of security vulnerabilities in CodeSec. If you discover a security issue, please report it to us privately before public disclosure so we can fix it promptly.

In Scope

  • Authentication and authorization vulnerabilities
  • Data exposure or cross-account data access
  • Remote code execution
  • SQL injection or other injection vulnerabilities
  • CSRF or session management issues
  • Sensitive data exposure

Out of Scope

  • Denial of service attacks
  • Social engineering or phishing
  • Physical security
  • Issues in third-party dependencies (report to the vendor)
  • Rate limiting on public pages

Our Commitments

  • Acknowledge your report within 48 hours
  • Provide a timeline for fix within 7 days
  • Notify you when the vulnerability is resolved
  • Credit you in our security acknowledgements (if desired)
  • Not pursue legal action for good-faith research within scope

Please do not access or modify other users' data, run automated scanners against our production systems, or disclose vulnerabilities publicly before we've had 90 days to fix them.

Found a vulnerability? Report it confidentially. We respond within 48 hours.

[email protected]