SECURITY

How Stackr protects your data.

Stackr connects to your operational stack and ingests sensitive business signal. We treat that as a serious responsibility. This page is the technical truth, not a marketing pitch. If anything is unclear, email security@stackr.work.

DATA HANDLING
Encryption in transit. All traffic to stackr.work uses TLS 1.2+. HSTS is preloaded.
Encryption at rest. Customer data lives in Supabase Postgres, which encrypts disks at rest with AES-256. OAuth refresh tokens are stored in Supabase Vault (column-level envelope encryption); the encryption key never leaves Supabase infrastructure.
Tenant isolation. Postgres row-level security policies enforce that one customer can never read another's data. Application-layer ownership assertions provide defense-in-depth on every resource load.
Minimum-scope OAuth. We request read-only scopes wherever possible. Stackr never posts, sends, or writes on your behalf.
No raw message exposure. Slack, Telegram, Crisp, and email payloads are scrubbed of bodies, emails, URLs, and secret-shaped tokens before any LLM call. The brief writes a summary and links back to the source; the source content stays in its original tool.
AI / LLM USE
Provider. Stackr uses a third-party LLM API for brief generation and the Ask Stackr Q&A. The provider is disclosed in our subprocessor list.
Prompt injection defense. Every brief prompt explicitly instructs the model to treat ingested content as data, not instructions. We additionally scrub event metadata of any content that resembles directives.
PII scrubbing before submission. Emails, names, URLs, and other identifying tokens are stripped from event content before any prompt is sent. The LLM sees structured signals, not identities. Identities are rehydrated locally on display.
No model training on your data. Our LLM provider does not train on API inputs by default. We do not separately log inputs for training.
AUTHENTICATION + ACCESS
Customer auth. Email + password via Supabase Auth. Optional Google SSO. Sessions are HTTP-only, secure, SameSite cookies.
Admin auth. Stackr employees access the admin panel via a separately-secured key. SSO with a per-employee session is on the v1.1 roadmap. [v1.1]
Token redemption. Invite tokens are 24 characters of cryptographic randomness, stored only as SHA-256 hashes, verified in constant time, single-use, and IP-rate-limited at redemption.
Rate limiting. Per-user and per-IP limits on every mutation endpoint and on LLM-backed endpoints to prevent abuse and cost-DoS.
INTEGRITY + AUDIT
Webhook signature verification. Stripe and GitHub webhooks verify HMAC signatures before any state change.
Audit log. Every authentication event, integration connect/disconnect, brief view, feedback submission, and admin action is recorded with a timestamp, user ID, IP, and user agent. Logs are retained for the contractual term.
CSP + headers. HSTS preloaded, strict X-Frame-Options DENY, X-Content-Type-Options nosniff, COOP same-origin, Permissions-Policy locked down, CSP in report mode (graduating to enforced after observation).
DATA RIGHTS
Export. Customers can request a full JSON export of their data at any time via privacy@stackr.work. Delivered within 30 days.
Deletion. Customer can delete their account from settings; data is purged within 30 days. Audit logs retained as required for security investigations, then deleted on the documented retention schedule.
Sub-processor changes. 30 days notice via email before any new subprocessor handles your data.
WHAT WE DO NOT YET HAVE
SOC2. Not yet. On the v2 roadmap. We are implementing the controls progressively and will pursue a Type 1 report when ready.
Penetration test. Internal red-team reviews are ongoing. External penetration test is planned before broader launch.
Bug bounty. Not yet. We will credit responsible disclosures publicly with researcher consent (see security.txt).
INCIDENT NOTIFICATION

If we detect a security incident affecting your data, we will notify the customer contact on file within 72 hours of discovery, with information about scope, what we know, and remediation steps. We commit to a post-incident report within 14 days.

RESPONSIBLE DISCLOSURE

Found something? Email security@stackr.work. Full policy at /.well-known/security.txt. We acknowledge within 2 business days.

Acknowledgments: no published disclosures yet.

Security | Stackr