Security Overview
Security
Last updated: May 24, 2026 Β· Prototype release
Prototype caveat
Shadow Posts is an early prototype. The controls below describe how the system is built today, not a formal certification. We do not currently hold SOC 2, ISO 27001, or similar attestations β those come with general availability.
Encryption
All traffic uses TLS 1.2+ end-to-end. Data at rest is encrypted by Supabase (managed Postgres + storage) and by Fly volumes for application hosts. Cookies used for authentication are HTTP-only and Secure.
Tenant isolation
Every user belongs to a tenant. All tenant-scoped tables in Postgres enforce row-level security so a request can never read another tenant's data. The API authenticates each request with a Supabase-issued bearer token; service-role keys are never exposed to the browser.
Authentication
Sign-in uses Supabase Auth with magic links β no passwords to phish or reuse. Sessions are short-lived JWTs scoped to your tenant.
Network
Traffic enters via Cloudflare (DDoS protection, WAF, HSTS, strict TLS), terminates at Fly.io edges, and reaches a private 6PN network for service-to-service calls. The database is only reachable through Supabase's managed proxy.