Trust & Safety
Security
Last updated: May 20, 2026
We take security seriously. Here's exactly how we protect your data and what we're working toward.
Current security posture
TLS 1.3 encryption in transit
All endpoints
AES-256 encryption at rest
Supabase PostgreSQL
Slack signature verification
Every webhook request
Environment-variable secret management
No secrets in code
Ephemeral-only user notifications
Private to commitment author
SOC 2 Type II
In progress — Q4 2026
Infrastructure
🚂
Hosting: Railway
Application runs on Railway's managed infrastructure with automatic TLS, isolated containers, and zero-downtime deploys.
🗄️
Database: Supabase
PostgreSQL hosted on Supabase with row-level security, encrypted at rest, and daily automated backups.
🔑
Secrets management
All secrets (bot tokens, API keys, signing secrets) are stored as environment variables — never in source code or logs.
🌐
Network
All traffic served over HTTPS. Slack webhook signatures are verified on every inbound request to prevent spoofing.
Data access controls
- The bot only reads messages in channels it has been explicitly invited to
- Human-to-human DMs are never accessible to the bot
- Commitment notifications are sent only to the person who made the commitment — never to managers, admins, or teammates
- The admin dashboard is protected by a token and scoped strictly to your team's data — no cross-tenant access is possible
- Each workspace's bot token is stored separately and used only for that workspace's requests
What we don't store
- Raw Slack message content (only the extracted commitment summary)
- Google Calendar credentials or calendar content
- Payment details (handled entirely by Stripe)
- Messages from channels the bot hasn't been invited to
Incident response
If we detect or are notified of a security incident affecting user data, we will notify affected workspace admins via Slack DM within 72 hours of confirmation, consistent with GDPR Article 33 requirements.
🔐 Found a vulnerability?
We appreciate responsible disclosure. If you've found a security issue, please email thakartej12@gmail.com with the subject "Security Report". We'll acknowledge within 24 hours and work to resolve valid issues promptly. Please don't publicly disclose issues before we've had a chance to address them.