Storage
- Clips are stored in Supabase Storage on AWS Tokyo (ap-northeast-1).
- Encrypted at rest (AES-256, AWS-managed keys).
- Transport encryption (TLS 1.2+) for every request between browser and server.
Access control
- Row-Level Security at the database layer. Even if the app server were compromised, RLS policies make it impossible to read another user's clips with your session.
- Signed URLs only. Clip videos are served via short-lived signed URLs (1-hour TTL). The bucket itself is private.
- No third-party trackers on dashboard pages. The dashboard is auth-only and ad-free by design.
Authentication
Sign-in via Google OAuth (web) and email + password (mobile). All sessions managed by Supabase Auth. JWTs stored in localStorage with refresh-token rotation.
Vulnerability disclosure
If you've found a vulnerability, email security@tradeanderror.com with details. We acknowledge within 24 hours and aim to ship a fix within 7 days for high-severity issues. Bounty program: in preparation.
Audit & compliance
- SOC 2: in progress (target: H2 2026)
- GDPR: see GDPR / data protection
- Subprocessors: Supabase, Vercel, Google Cloud (auth)