Security posture
Security on Hockystick is layered so that no single failure exposes deal data: transport encryption at the edge, authentication through Supabase Auth, authorization enforced inside the database itself, and a signed NDA before any counterparty sees a document.
The layered model
| Layer | Enforced by | What it stops |
|---|---|---|
| Transport | Cloudflare edge (TLS 1.3/1.2) | Interception of data in transit |
| Authentication | Supabase Auth (email + Google OAuth, captcha-protected) | Unauthenticated access |
| Authorization | PostgreSQL Row Level Security on all 107 tables | One user reading another user's rows |
| Team roles | Role permission checks (roles.ts + role_permissions table) | A viewer performing admin actions |
| Deal gating | NDA signature gate before Information Vault unlock | Document access before legal protection exists |
Authentication
Sign-in supports email/password and Google OAuth, both through Supabase Auth. Sign-up and sign-in are protected by captcha to block credential-stuffing bots. Sessions are short-lived JWTs with refresh rotation; password changes and account deletion are self-service under Settings → Security.
Authorization
The core rule: authorization lives in the database. Application-level checks exist for UX (hiding buttons a role can't use), but the thing that actually prevents cross-tenant data access is Row Level Security — described in detail on the RLS page. Where a policy needs to consult another table, it does so through SECURITY DEFINER helper functions rather than inline subqueries, which avoids both recursion bugs and policy bypasses.
Secrets management
API keys (AI providers, email, CRM) are stored as encrypted Cloudflare secrets and read only inside server functions at request time. They are never embedded in the client bundle, never exposed with a VITE_ prefix, and never logged.
Known boundaries
We state limits as plainly as guarantees. Hockystick does not currently hold its own SOC 2 attestation — the SOC 2 Type II compliance referenced in these docs belongs to Supabase, our infrastructure provider. Uploaded documents are encrypted at rest but not end-to-end encrypted: the platform can technically read stored files, which is what allows AI summaries and verification to work. If your threat model requires zero platform access to file contents, do not upload those files.