Security Overview
Security
Last updated: April 27, 2026 · Prototype release
Prototype caveat
Shadow Post is an early prototype. The controls below describe how the system is built today, not a formal certification. We do not currently hold SOC 2, ISO 27001, or similar attestations — those come with general availability.
Encryption
All traffic uses TLS 1.2+ end-to-end. Data at rest is encrypted by Supabase (managed Postgres + storage) and by Fly volumes for application hosts. Cookies used for authentication are HTTP-only and Secure.
Tenant isolation
Every user belongs to a tenant. All tenant-scoped tables in Postgres enforce row-level securityso a request can never read another tenant’s data. The API authenticates each request with a Supabase-issued bearer token; service-role keys are never exposed to the browser.
Authentication
Sign-in uses Supabase Auth with magic links — no passwords to phish or reuse. Sessions are short-lived JWTs scoped to your tenant.
Network
Traffic enters via Cloudflare (DDoS protection, WAF, HSTS, strict TLS), terminates at Fly.io edges, and reaches a private 6PN network for service-to-service calls. The database is only reachable through Supabase’s managed proxy.
Vulnerability handling
Found something? Email [email protected] with a description and reproduction steps. We aim to acknowledge within 72 hours during the prototype phase. Please do not publicly disclose until we’ve had a chance to respond.
What we don’t do (yet)
During the prototype phase we do not run a bug bounty, do not publish a public uptime SLA, and do not offer enterprise SSO. These are tracked for general availability.