Security

SupaBook's security approach — defense-in-depth, workspace isolation, encryption at rest and in transit, access controls, and responsible disclosure.

Defense in depth

SupaBook applies multiple independent security controls so that the failure of any one layer does not compromise customer data. Controls span infrastructure, application code, and operational practices.

Platform ownership and infrastructure control

SupaBook owns and operates the SupaBook application and the customer-data workflows inside it. The application is hosted on SupaBook-managed VPS infrastructure, and we use reputable managed service providers for supporting services such as database hosting, authentication, payments, and communications. SupaBook manages the application layer, server configuration, database schema, workspace access model, deployment process, and data-retention workflows.

  • SupaBook controls the application experience, workspace model, and operational procedures used to protect customer data
  • The application runs on SupaBook-managed VPS infrastructure
  • Database hosting, authentication, storage, payments, and communications may be provided by vetted subprocessors under contractual obligations
  • Current subprocessors are listed in our Data Processing Agreement and described in our Privacy Policy

Infrastructure

  • Application hosted on SupaBook-managed VPS infrastructure
  • Database, authentication, and storage services use Supabase (Postgres)
  • Network isolation between application tiers
  • Automatic patching of underlying OS and runtime
  • DDoS protection at the edge

Application controls

  • Row Level Security (RLS) on every user-facing table — tenant isolation enforced in the database, not just in code
  • JWT-verified API endpoints by default; public endpoints validate signatures
  • Input validation and parameterized queries throughout
  • Strict Content Security Policy and security headers
  • Audit logging for security-relevant actions (auth changes, exports, deletions)

Access controls

  • Owners, admins, members, and limited roles with explicit permission matrices
  • Optional MFA for privileged accounts
  • Session lifetime controls and forced sign-out on role change
  • API keys scoped to studio with rotation support

Secrets and keys

  • Supabase service role keys never reach the browser
  • Per-environment secrets stored in managed secret stores
  • Twilio, Stripe, and provider keys rotated on personnel changes

Payment security

SupaBook partners with Stripe for secure payment processing, so sensitive card and ACH details are handled by Stripe's payment infrastructure. SupaBook does not store full card numbers, CVVs, or full bank account details.

  • Stripe collects and tokenizes payment details through Stripe payment surfaces
  • SupaBook stores the transaction records needed for invoices and reconciliation, not full payment details
  • Payment setup and record updates are handled through secure, validated workflows
  • Processing rates, pass-fee settings, instant payouts, and surcharge guidance are documented in the payment fees guide

Responsible disclosure

Security researchers can report findings to security@supabook.ai. We commit to acknowledging within one business day, providing a status update within five business days, and coordinating disclosure once a fix is shipped.

Related: Trust Center, Privacy Policy, DPA.

Canonical URL: https://supabook.ai/security/