Security posture

Last updated

Security on Hockystick is layered so that no single failure exposes deal data: transport encryption at the edge, authentication through Supabase Auth, authorization enforced inside the database itself, and a signed NDA before any counterparty sees a document.

The layered model

LayerEnforced byWhat it stops
TransportCloudflare edge (TLS 1.3/1.2)Interception of data in transit
AuthenticationSupabase Auth (email + Google OAuth, captcha-protected)Unauthenticated access
AuthorizationPostgreSQL Row Level Security on all 107 tablesOne user reading another user's rows
Team rolesRole permission checks (roles.ts + role_permissions table)A viewer performing admin actions
Deal gatingNDA signature gate before Information Vault unlockDocument access before legal protection exists

Authentication

Sign-in supports email/password and Google OAuth, both through Supabase Auth. Sign-up and sign-in are protected by captcha to block credential-stuffing bots. Sessions are short-lived JWTs with refresh rotation; password changes and account deletion are self-service under Settings → Security.

Authorization

The core rule: authorization lives in the database. Application-level checks exist for UX (hiding buttons a role can't use), but the thing that actually prevents cross-tenant data access is Row Level Security — described in detail on the RLS page. Where a policy needs to consult another table, it does so through SECURITY DEFINER helper functions rather than inline subqueries, which avoids both recursion bugs and policy bypasses.

Secrets management

API keys (AI providers, email, CRM) are stored as encrypted Cloudflare secrets and read only inside server functions at request time. They are never embedded in the client bundle, never exposed with a VITE_ prefix, and never logged.

Known boundaries

We state limits as plainly as guarantees. Hockystick does not currently hold its own SOC 2 attestation — the SOC 2 Type II compliance referenced in these docs belongs to Supabase, our infrastructure provider. Uploaded documents are encrypted at rest but not end-to-end encrypted: the platform can technically read stored files, which is what allows AI summaries and verification to work. If your threat model requires zero platform access to file contents, do not upload those files.