Security

• In transit: all traffic is served over TLS 1.2 or higher with HSTS enabled. HTTP requests are upgraded automatically.
• At rest: production databases and storage are encrypted at rest with AES-256 by our infrastructure provider (Supabase / AWS).

Every customer-facing table enforces Row-Level Security (RLS) so a user can only read and write their own rows. The questionnaires storage bucket is private; access is mediated by short-lived signed URLs scoped to the requesting session.

• Email + password with a 12-character minimum and complexity requirements (lower, upper, digit, symbol).
• Optional TOTP multi-factor authentication. Enroll under Settings → Security.
• Sessions use HTTP-only cookies signed and rotated by Supabase Auth.
• Passwords are never stored in plaintext.

We use a small set of trusted vendors to operate the service. The full list and their data handling is at /sub-processors.

If you believe you have found a security issue, please report it privately to security@soczap.com. We acknowledge reports within 2 business days. Machine-readable contact information is published at /.well-known/security.txt.

We commit to good-faith handling: we will not take legal action against researchers who follow responsible-disclosure practice (no data exfiltration, no service degradation, reasonable time for us to remediate).

If we confirm a security incident affecting customer data, we will notify affected customers within 24 hours of confirmation, by email to the account address on file. Notifications include what we know, what we are doing about it, and what we recommend you do.

We capture application errors via Sentry and product analytics via PostHog. Both vendors handle data per their published policies (see /sub-processors). We rate-limit sensitive endpoints (AI generation, checkout, vault writes) at the application layer using Upstash Redis.

You can permanently delete your account at any time from Settings → Danger zone. Deletion removes your profile, security profile, questionnaires, vault entries, and uploaded files. Residual copies in encrypted database backups are purged within 30 days.

SocZap is an early-stage product. We are not currently SOC 2 or ISO 27001 certified. We model our controls on those standards and can share our internal control list under NDA. A signable Data Processing Addendum is available on request — see /dpa.