Security Policy

Last updated: 26 March 2026

We take the security of your data seriously. This page describes what we do to protect it, how to report vulnerabilities, and what we do not promise.

What we do

Access control

  • Row-level security (RLS): Every database table has row-level security policies. Users can only access data belonging to their own organisation. This is enforced at the database level, not just the application level.
  • Authentication: User authentication is handled by Supabase Auth with secure session tokens and automatic token refresh.
  • Role-based access: Organisation-level roles control what actions each user can perform.

Data integrity

  • SHA-256 checksums: Uploaded documents are verified with SHA-256 checksums to detect tampering or corruption.
  • Audit logging: All significant account actions are logged with timestamps for accountability.

Transport and infrastructure

  • Encryption in transit: All connections use TLS (HTTPS). Unencrypted connections are not accepted.
  • Encryption at rest: Data stored in Supabase is encrypted at rest using AES-256.
  • Hosting: The web application is hosted on Netlify with automatic HTTPS and DDoS protection.

Application security

  • CSRF protection: Cross-site request forgery tokens protect state-changing requests.
  • Rate limiting: API endpoints are rate-limited to prevent abuse and brute-force attacks.
  • Input validation: All user inputs are validated server-side using schema validation (Zod).
  • Error monitoring: Sentry monitors for application errors. Error reports are anonymised and do not contain user content.

Operational practices

  • Dependency updates: We regularly update dependencies to patch known vulnerabilities.
  • Least privilege: Service accounts and API keys use minimum required permissions.
  • Soft delete: Deleted data is retained for 30 days (in case of accidental deletion) before permanent removal.

Responsible disclosure

If you discover a security vulnerability in AnswerVault, we ask that you report it responsibly.

How to report

Email support@answervault.co.uk with:

  • A description of the vulnerability.
  • Steps to reproduce it.
  • The potential impact.
  • Your contact details (so we can follow up).

What to expect

  • We will acknowledge your report within 3 business days.
  • We will investigate and aim to resolve confirmed vulnerabilities promptly.
  • We will keep you informed of our progress.
  • We will credit you (if you wish) once the issue is resolved.

What we ask

  • Give us reasonable time to investigate and fix the issue before disclosing it publicly.
  • Do not access, modify, or delete other users' data during your research.
  • Do not perform denial-of-service attacks or social engineering.
  • Act in good faith.

What we do not promise

  • We do not guarantee that the Service is free from all security vulnerabilities.
  • We do not provide a formal bug bounty programme at this time.
  • We do not hold ISO 27001, SOC 2, or Cyber Essentials certification (though we follow industry best practices).
  • Security measures are proportionate to our size and the nature of the data we process. We are a small company providing a business tool, not a defence contractor.

Contact

Security questions or concerns? Contact us at support@answervault.co.uk.